Trust and Security digest (January 2022)

9 Feb 2022

This extract is taken from the January 2022 issue of The digest, GPD’s newsletter. Sign up here.


Notes from the deadlocked UN cyber discussions

It’s been an inauspicious start to 2022 for stakeholders trying to engage in UN cyber discussions. 

The omens were already there in December 2021, at the first meeting of the new Open-ended Working Group on responsible state behaviour in cyberspace (OEWG). There, despite considerable advocacy—and the promise of lessons learned from the last OEWG—stakeholders were denied any opportunity to input into the formal sessions. Stakeholders were, however, reassured that discussions would be reopened on this question.

That long-awaited discussion took place last month. The result? Fierce disagreement between states, and deadlock—which means that the second OEWG meeting, scheduled for late March, may also pass without any meaningful engagement from stakeholders.

The current disagreement centres on a few small provisions in the Chair’s revised proposal for increased transparency around stakeholder inclusion. These provisions would have allowed a state to find out which states had objected to the inclusion of a specific stakeholder—potentially making the silent vetoes which have cut off NGO access to previous processes more difficult. Stakeholders had cautiously welcomed this move, though we were concerned by a regressive “gag order” caveat in the provisions, which would have forbidden discussion of stakeholder decisions after the fact. In any case, the proposal was rejected by a group of just nine states—including Russia, China and Iran—leaving the future of the process up in the air.

The origins of this deadlock run deep. It’s the latest iteration of a much longer contest among states between competing visions of internet governance—a plural, consultative and multistakeholder model, against a state-led, closed and centralised one. And while the discussions can appear dry and procedural, the stakes are high. It’s unclear how the impasse will be resolved without states who support stakeholder engagement simply backing down. If this happens, it isn’t just stakeholder inclusion at the OEWG which is at risk—it could set a precedent for a broader closing of civic space across the multilateral ecosystem.

What next? All we currently know is that the Chair will convene another informal meeting between states in mid February to discuss a way forward. This stalemate may have the effect of rendering the discussions themselves ineffective and moot in the short term at least; putting more pressure on the proposed Programme of Action (as yet still subject to ongoing deliberation among its supporters) to deliver a meaningfully inclusive discussion on responsible state behaviour in cyberspace. As ever with cyber at the UN, while the disagreements appear procedural, the root is political.

Other news

  • Over at the Third Committee, where a potential new convention on cybercrime is currently under discussion, dates for the first meeting have yet to be decided and stakeholder engagement remains uncertain. Three non-ECOSOC NGOs have so far been refused accreditation—including one that has been actively involved. It’s also unclear how input from the (possibly 500+) non-governmental groups will be managed—though it’s likely to be through pooling. This month, GPD signed onto a joint civil society letter which included recommendations to meaningfully include NGOs.
  • The controversial Alliance for the Future of the Internet—originally scheduled for December 2021—is apparently set to launch in the next few months. Very little information is available and the White House is reportedly still deciding how they’ll engage the multistakeholder community. Its proposed deliverables are currently unclear. While the US Government has posted its own on its website, the full list of participating country commitments is yet to be published on the S4D’s dedicated webpage. The plan is to launch multistakeholder ‘democracy cohorts’  to monitor and collaborate on governments’ commitments in the current ‘Year of Action’. The composition of these cohorts is still TBD but are expected to be multistakeholder in nature.
  • The EU’s Digital Services Act will have important and wide-ranging impacts on human rights of users, in the EU and beyond. Ensuring the final text is rights-respecting is therefore key—and welcome amendments that have been advocated for by civil society were adopted this month. The EU Parliament’s version of the bill currently protects the right to anonymity and the use of end-to-end encrypted services but there is still a risk that provisions to deal with content moderation could be brought in, particularly as discussions enter the ‘trilogue’ phase and the three institutions of the EU (the Parliament, Council and Commission).
  • To mark Safer Internet Day, the Global Encryption Coalition’s Steering Committee called on governments around the world to protect strong encryption.
  • We’ve recently updated our World Map of Encryption Laws and Policies with updates on 21 countries: including Japan, Ghana and Mauritius. Take a look here
  • Applications for the UN Tech Envoy closed at the end of January; but, as we’ve written, there remain a lot of unanswered questions about the process for selecting the right candidate. We’ve signed onto a joint letter to express these concerns and outline recommendations for improving the transparency of the process.

Listening post

Your monthly global update, tracking relevant laws and policies relating to the digital environment.

On the trust and security side:

  • Civil society organisations have voiced concerns relating to a number of developments, including:
    • Myanmar’s Draft Cybersecurity Law;
    • UAE’s Law on Combating Rumours and Cybercrime;
    • South Sudan’s Cybercrimes and Computer Misuse Act; and
    • Libya’s Cybercrimes Law.
  • Morocco’s Minister of Justice, Abdellatif Wehbe, announced that the Ministry is working on new legal requirements for cybercrime.
  • Congress in Brazil approved accession to the Budapest Convention. Fiji and Vanuatu have also been invited to join the Convention.
  • The UK and Pakistan both published National Cybersecurity Strategies, whilst Bahrain and Ghana confirmed they were in the process of developing strategies.
  • On laws relating to encryption, Romania has used the European Electronic Communication Code (EECC Directive) implementation to extend communications surveillance. Bangladesh is reportedly working on draft IT Rules, using the Indian guidelines as an example; and Indonesia is reportedly working on an encryption bill.