Should social media platforms decide what is lawful online?
|
|
In the aftermath of the violent attack on the United States Capitol—and the subsequent banning of Donald Trump on social media—we find ourselves once again asking whether tech giants wield too much power in our society.
While Twitter defends its decision to ban the former US President in a court-like manner, and Facebook has referred the ban to its newly established Oversight Board, commentators continue to debate the role these companies have in providing checks and balances on public life and discourse.
The ability of social media platforms to determine the contours of permissible speech online has resulted in two contrasting views by policymakers. On one hand, governments are concerned with illegal and harmful forms of content and are devising new legal frameworks which require companies to address such harms through moderation and removal. This is evident through Germany's NetzDG, the UK’s Online Harms Bill and the EU’s proposed Digital Services Act. On the other hand, and particularly in the wake of the decision to deplatform Donald Trump, some politicians are now demanding less moderation and consider such actions to constitute illegitimate censorship. The President of Mexico recently vowed to lead an international effort to combat censorship by social media companies, while Poland has said it will introduce a new law to prevent social media platforms deleting content that is not considered illegal under Polish law.
Regardless of whether governments support more or less moderation, we consider any effort to make platforms arbiters of what is lawful or not online concerning. Given the enhanced public attention on these issues, and the potential for more regulation, it is also important to consider the impacts of disparate and fragmented regulatory approaches. While states should be able to regulate where necessary to ensure that freedom of expression is respected, is it reasonable—or even possible—for all social media platforms, particularly smaller or newer ones, to comply with varying regulations across the globe? A focus on compliance with a range of different national-level regimes could also make it more difficult for platforms to take a global view of their impacts on human rights and democracy—a critical need, recently highlighted by civil society organisations in a joint statement.
Instead of watching the pendulum swing between policymakers demanding more or less moderation by platforms based on the decision du jour, we must instead redirect our attention to more nuanced and rights-based approaches to moderation and regulation. There is a clear need for greater transparency by these platforms, and effective appeals and accountability mechanisms for users. This is key to ensuring that freedom of expression is protected online, even if it is just the starting point and not a comprehensive solution.
|
|
SolarWinds and cyber norms: some reflections
|
|
|
2020, a year rich in alarming and unwelcome developments, held back one final surprise for December: the revelation of a vast cyberattack on US infrastructure, dubbed SolarWinds after the software company used as a conduit for access.
Over the course of nine months, hackers used malware to gain access to a range of critical systems and institutions—from Microsoft to the US Treasury, departments of Homeland Security, State, Defense, and Commerce. The fact of the hack itself is hardly remarkable—such incidents are becoming much more common—but the scale took many by surprise. How should we interpret it?
What is interesting about any attack like this is what it reveals and confirms. This one revealed, rather paradoxically, the strength of US defenses—by providing insight into the level of intrusion necessary to overcome them. It also confirmed both the strengths and weaknesses of a digital infrastructure largely managed by private sector actors. On the one hand, it was a company, FireEye, that discovered the attack—a clear demonstration of the expertise that exists in the private sector. On the other hand, the techniques it used to discover it—a complex process of “reverse engineering”—are beyond the capacity of most of the companies affected by the breach; who also likely lack the resources for the ‘scorched earth’ tactics necessary to remove the malware used. Due to the different resource levels among all the actors affected, a more patchy response is inevitable—leaving fragments of malware possibly scattered for many years to come in systems operated by companies that only have the resources to carry out basic patches. Even more worryingly, attacks like this could disincentivise the implementation of security updates (one of the key vectors for malware distribution), making the whole ecosystem more vulnerable.
SolarWinds also makes vivid the huge range of activities in cyberspace which are technically deemed permissible, because they exist in the legal grey zone known as “espionage”. As the scale of the attack unfolded, international lawyers turned to analyse it—exposing the many unanswered questions and unclear nature of the application of international law in cyberspace, and generally concluding that “the attack did not violate international law”, simply because it didn’t cross certain thresholds. And even if US intelligence agencies and a lone private actor have pointed fingers at Russia, there’s no unequivocal evidence (and no institutional authority, like an international attribution organisation to provide it).
Notably, no government has yet called out the attack as a violation of cyber norms—even though the attack concerns public utilities and services, and there are dedicated norms on the protection of supply chains and critical infrastructure. But in a sense this isn’t surprising: there is no common or agreed definition of critical infrastructure—revealing yet another gap in understanding that makes it difficult to implement agreed cyber norms.
Where does this leave us? An attack that causes widespread damage, but is acceptable because it’s “just espionage”—even though it affected scores of ordinary people, NGOs and businesses. From the point of view of a state, it's certainly concerning. Unfortunately, it may end up providing fresh impetus and rationale for investing in offensive cyber capabilities, including the exploitation of vulnerabilities (see the UK’s launch of its new “Cyber Force” last year) that ultimately make cyberspace less secure.
We enter 2021 in the wake of an attack that revealed the nature of the challenge, and confirmed the gaps we already knew existed: a lack of conclusive attribution for cyber attacks, a multifaceted supply chain that requires greater collaboration between different actors, and a grey zone of "espionage" that governments will continue to exploit. Amid all this, it's clear that some actors think this kind of behaviour is unacceptable (Microsoft President Brad Smith recently called on fellow industry leaders to call it out as such); others—namely, certain states—don’t. The likely result? An ever less secure cyberspace, and a continued state of heightened tension and contestation between states—with unknown, possibly catastrophic, consequences.
To avert this, we need a collective agreement and shared understanding of what is acceptable in cyberspace, including when it comes to espionage. The human-centric implementation of agreed cyber norms and the rest of the GGE framework needs to be front and centre. And the question of whether new institutions and rules are also needed—including ones to limit cyber-espionage activities and address accountability gaps—remains an open, contested, but urgent one.
Other news:
- The multistakeholder dialogue series we helped organise —“Let’s Talk Cyber”—wrapped up last month. Its final report is now up on the OEWG portal
- The OEWG’s zero-draft is out. We’re glad to see a few references to the need for a human-centric and rights based approach, as well as reference to the role of civil society, but there are areas where it could be strengthened. We plan to share perspectives on it soon, along with other stakeholders.
- Under the premise of protecting “national security”, the Ugandan government shut down internet access in the country for five days this month, against the backdrop of an election marred by reports of state violence. Access to social media sites still remains restricted there.
|
|
|
Your monthly global update, tracking relevant new laws, policies (and rumours) relating to the digital environment.
As we move into 2021, there’s a lot of activity around cybercrime legislation across the global South:
- In Vanuatu and Kiribati, new legislation is currently being proposed.
- Iraq has just reintroduced a draft law on combating cybercrime before the Council of Representatives.
- South Africa’s Parliament has passed the Cybercrimes Bill and submitted it to the President for approval.
- Zambia’s government has reportedly shelved its draft Cybersecurity and Cybercrime bill.
- Malaysia’s government is reportedly planning to review cybercrime legislation soon—details tbc.
Looking more broadly at cybersecurity, Turkey has published its new National Cybersecurity Strategy (NCSS) and action plan. (For more information on NCSS, see our toolkit of resources.) And the Global Forum on Cyber Expertise welcomed the Kingdom of Lesotho as its 87th member.
Turning to the online content debate, a few things to be aware of:
- The Australian government has published a new draft Online Safety Bill, with the aim of developing a comprehensive framework to tackle online harms.
- Following Poland’s proposal for a new social media law, Hungary’s Ministry of Justice is planning to bring a bill to Parliament to regulate social media companies’ deplatforming policies this Spring.
On the emerging tech side, the big news is that Spain has adopted a National AI Strategy (NAS)—which includes strong reference to human rights, and establishes a range of important safeguarding and oversight mechanisms for the roll out of artificial intelligence technologies. Ukraine has also committed to developing an NAS, and a Resolution urging the US government to develop one was adopted by the House of Representatives; we’ll be following their progress closely.
|
|
|
|
|
