IGF 2019 WS #159
Towards a Human Rights-Centered Cybersecurity Training

Organizer 1: Kate Saslow, Stiftung Neue Verantwortung
Organizer 2: Julia Schuetze, Stiftung Neue Verantwortung
Organizer 3: Daniel Mossbrucker, Reporters Without Borders Germany

Speaker 1: caroline sinders, Technical Community, Western European and Others Group (WEOG)
Speaker 2: Farhan Janjua, Civil Society, Asia-Pacific Group
Speaker 3: Adli Wahid, Technical Community, Asia-Pacific Group
Speaker 4: Chris Kubecka, Private Sector, Western European and Others Group (WEOG)

Additional Speakers

Co-Moderated by Daniel Mossbrucker, now affiliated with the Deutsche Welle Acadamy

Expert inputs from:

Chris Kubecka; Farhan Janjua, Gbenga Sesan.

Moderator

Daniel Mossbrucker, Civil Society, Western European and Others Group (WEOG)

Online Moderator

Julia Schuetze, Civil Society, Western European and Others Group (WEOG)

Rapporteur

Kate Saslow, Civil Society, Western European and Others Group (WEOG)

Format

Other - 90 Min
Format description: "World Cafe" Format: Three tables for (rotating) group discussion, flip board at each table, online participation provided by online document and video conferencing, moderators will wrap-up group discussions while participants can enter contributions and thoughts into the online document.

Policy Question(s)

What role should different stakeholders play in cybersecurity capacity building approaches? How can resilience and security of cyberspace be increased by means of capacity building, media literacy, support and guidance in the digital environment? How can consumer rights and consumers’ capacity to protect themselves and their data be reinforced? (please see agenda for more specific policy questions to be discussed in the session)

SDGs

GOAL 4: Quality Education
GOAL 5: Gender Equality
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 12: Responsible Production and Consumption
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description: This interactive workshop will look at challenges of digital security and human rights by combining expert inputs, a threat modelling scenario, and dynamic brainstorming with participants.

First, we will hear a threat model on securing development cooperation in an environment of insecurity, in which an organization gets funding to strengthen the digital rights in a country of the Global South and seeks to build a Digital Human Rights Lab to investigate how their government might misuse its surveillance capabilities to target members of civil society. Specific challenges (like protecting communication, securing internet research, protecting project data, protecting bank account data, and securing the integrity of devices) will be presented as priorities.

Next, there will be input from 4 practitioners to give more sector specific inputs. They will discuss their main challenges, and potential solutions to these challenges. These will be the first examples of "best practices" dicussed. These solutions, or best practices will be expanded upon and added to during the brainstorming session.

In three different rounds, the larger group will divide itself first into pairs for a lightening-round session to identify one best practice. Each pair will find a second pair and in this quartette, the solutions will be narrowed down into the most urgent best practice to focus on. Then, each quartette will find a second quartette. In the groups of 8 people, these best practices will be shared and compared, and the group will need to determine which of them should be pitched to the large group as the most urgent solution that could be implemented.

These final best practices will be pitched to the larger group in a final round. The online moderator will share some of the best practices from the online discussion.

Expected Outcomes: - Some best practices of achieving sustainable human rights centered cybersecurity training for vulnerable groups - A better understanding of what human rights centered capacity building means for different stakeholders and their responsibility for implementation - Putting the focus on security and safety via cybersecurity of the people by shifting away from solely looking at "national" security of the states, which sometimes violates security and safety of the citizens

We will be present at the different tables and encourage discussion and inclusion, so that the speakers have the forum to discuss what they, as practitioners, think is crucial. We will also moderate the online discussion and make sure the online outcomes are presented to the group just like the offline participation is.

Relevance to Theme: In this workshop we want to put the focus on security and safety via cyber security of the people. Cybersecurity training should increase the capacity of citizens to become more secure online and therefore demand and defend their human rights safely if the state should infringe upon them. This workshop will take this aim. Furthermore, capacity building and collaboration with diverse stakeholders can ensure that users achieve certain levels of digital and legal literacy, so that if state practices infringe upon their rights and threaten individual security, there is recourse. A human rights centred approach to cybersecurity training is necessary so that vulnerable groups and minorities can benefit from access to technology and the infrastructure with which their state provides them. We are therefore asking in this workshop: How can we create cybersecurity trainings that aim to save these communities when principles of human-rights based cybersecurity fail? How can we properly ensure that programs that build cybersecurity capacity are actually human-rights based? Furthermore, how can these rights be operationalized in capacity-building programs for vulnerable groups through cybersecurity trainings? We will evaluate different roles of stakeholders and cybersecurity training set-up to gather best practices on achieving a human rights-centred approach to cybersecurity training that is sustainable at all levels of society - from the state to the individual. Here we specifically also want to include stakeholders that are usually involved in building capacity for cybersecurity and resilience of a state actor, such as Computer Emergency Response Teams asking what could their role be in achieving the same for citizens? Moreover, we want to connect stakeholders that are involved in capacity building programs and those who work on human rights and/or are affected by state actions against human rights and need cybersecurity training to protect themselves.

Relevance to Internet Governance: While recommendations on how to have a human rights-based cybersecurity policy, were spelled out IGF in 2018 (“The development of cybersecurity-related laws, policies, and practices should from their inception be human rights-respecting by design.”), this does not mean that states necessarily take this into consideration when crafting their cybersecurity practices. The issue of cybersecurity has been prioritized at the state level to protect national security. The focus on the state and “its” security crowds out consideration for the security of the individual citizen, not least because in some areas of the world, it has become the case that more security means infringing upon individual freedoms and liberties, by means of government hacking for example. The type of security that is currently prioritized is often not security (directly) relevant to the people --- examples that this is the case: Repressive laws, increased surveillance, and regulatory controls from governments such as China, Egypt, the United Kingdom, Canada, Germany and France have also increased. Additionally, calls to ban security and anonymizing tools such as Tor have come from Russia, Pakistan, Belarus, and was recently also called for at the European police congress. These varied policies and practices are changing the nature of the Internet and creating challenges regarding its technical and legal fragmentation

Online Participation

To gather input and contributions from online participants throughout the session. Both a document to gather thoughts and be transparent about ongoing discussion, as well as video tools to allow for remote participats to follow the presentations at the beginning and partake in their own online discussion. The results will be shared and pitched to the group at the end, just like with offline participants.

Link for online participation document --> https://docs.google.com/document/d/1UZYWwIfyf7GGh9tq3zAafFPMjz_H2cDqlPP…;

Agenda

16.40 - 16.45: Welcome and setting expectations

16.45 - 16.55: Threat modeling and case presentation

16.55 - 17.20: Expert Inputs- presentations of key challenges and some initial solutions

17.20 - 17.45: Brainstorming session and group discussions

17.45 - 18.10: Elevator pitches from groups and closing remarks

1. Key Policy Questions and Expectations

1. How can we create cybersecurity trainings that aim to save communities where principles of human-rights based cybersecurity fail?

2. How can we properly ensure that programs that build cybersecurity capacity are actually human-rights based?

3. How can these rights be operationalized in capacity-building programs for vulnerable groups through cybersecurity trainings?

2. Summary of Issues Discussed

There was broad support for the idea that we need capacity-building efforts to make individuals more secure and able to protect and demand right to privacy and freedom of expression. This is especially the case as more states see cybersecurity as a national-level goal, and often neglect or even violate individuals' rights in the name of national security.

Many supported the idea that when it comes to cybersecurity trainings and NGO activity on the ground in the Global South, there needs to be better priority-matching while carrying out initiatives, in other words, making sure that what the organization on the ground (who may be benefitting from cybersecurity trainings) actually needs what the organization trying to build capacity is offering to do.

Many also supported the need for a better handshake between the technology found as a solution with the characteristics that are trying to be solved within the organization on the ground. This means understanding exactly what problems an organization may be faced with and finding technologies that offer those exact problems well, rather than just always adopting new technologies and new "solutions" that may, actually, not be the needed or wanted solutions.

3. Policy Recommendations or Suggestions for the Way Forward

There were many proposed suggestions for the way forward. These mainly dealth with better informing civil society actors of their IT security needs and weaknesses. Often times, the technologies on the ground may be secure, but the people using them may not be, and simply behavior can be a huge security risk. To solve this, conducting human-rights centered cybersecurity trainings with civil society actors should include:

- threat modeling; adversary modeling; device security; compartmentalization and access control within an org.; project management and ample documentation; trainings for software use; 2nd level of security; common understanding of cultural differences that may plague cyber hygiene; etc.

4. Other Initiatives Addressing the Session Issues

Another issue that was brought up that is not covered by better/more cybersecurity trainings is the burden licesning fees may be on small civil society actors. Often times, pirated or free online software is used by an organization, simply because the licesning fees are too great. This, however, means that more organizations use less secure devices. More could be done to help organizations with licensing fees or secure devices, so that they are better equipped to protect right to privacy, freedom of expression, and other rights.

5. Making Progress for Tackled Issues

Progress may be made on the issue by building capacity within civil society organizations who are crucial for the well-being of society as a whole but often given less weight in terms of IT security. This needs to change. Small teams need to be able to protect their fundamental rights and have access to secure IT infrastructure.

6. Estimated Participation

onsite: 60, maybe 25 of those were women.

7. Reflection to Gender Issues

The session was had no specific gender dimension.