3. Individuals, Societies and Digital Technologies

The ultimate purpose of digital technology should always be to improve human welfare. Beyond the socio-economic aspects discussed in the previous chapter, digital technologies have proved that they can connect individuals across cultural and geographic barriers, increasing understanding and potentially helping societies to become more peaceful and cohesive.

However, this is only part of the story. There are also many examples of digital technologies being used to violate rights, undermine privacy, polarise societies and incite violence.

The questions raised are new, complex and pressing. What are the responsibilities of social media companies, governments and individual users? Who is accountable when data can move across the world in an instant? How can varied stakeholders, in nations with diverse cultural and historical traditions, cooperate to ensure that digital technologies do not weaken human rights but strengthen them? 

3.1 HUMAN RIGHTS AND HUMAN AGENCY

Many of the most important documents that codify human rights were written before the age of digital interdependence. They include the Universal Declaration on Human Rights; the International Covenant on Economic, Social and Cultural Rights and the International Covenant on Civil and Political Rights; the Convention on the Elimination of all forms of Discrimination against Women; and the Convention on the Rights of the Child.

The rights these treaties and conventions codify apply in full in the digital age – and often with fresh urgency.

Digital technologies are widely used to advocate for, defend and exercise human rights – but also to violate them. Social media, for example, has provided powerful new ways to exercise the rights to free expression and association, and to document rights violations. It is also used to violate rights by spreading lies that incite hatred and foment violence, often at terrible speed and with the cloak of anonymity.

The most outrageous cases make the headlines. The live streaming of mass shootings in New Zealand.98 Incitement of violence against an ethnic minority in Myanmar.99 The #gamergate scandal, in which women working in video games were threatened with rape.100 The suicides of a British teenager who had viewed self-harm content on social media101 and an Indian man bullied after posting videos of himself dressed as a woman.102

But these are manifestations of a problem that runs wide and deep: one survey of UK adult internet users found that 40 percent of 16-24 year-olds have reported some form of harmful online content, with examples ranging from racism to harassment and child abuse.103 Children are at particular risk: almost a third of under-18s report having recently been exposed to “violent or hateful contact or behaviour online”.104 Elderly people are also more prone to online fraud and misinformation.

Governments have increasingly sought to cut off social media in febrile situations – such as after a terrorist attack – when the risks of rapidly spreading misinformation are especially high. But denying access to the internet can also be part of a sustained government policy that itself violates citizens’ rights, including by depriving people of access to information. Across the globe, governments directed 188 separate internet shutdowns in 2018, up from 108 in 2017.105

PROTECTING HUMAN RIGHTS IN THE DIGITAL AGE

Universal human rights apply equally online as offline – freedom of expression and assembly, for example, are no less important in cyberspace than in the town square. That said, in many cases it is far from obvious how human rights laws and treaties drafted in a pre-digital era should be applied in the digital age.

There is an urgent need to examine how time-honoured human rights frameworks and conventions – and the obligations that flow from those commitments – can guide actions and policies relating to digital cooperation and digital technology.

There is an urgent need to examine how time-honoured human rights frameworks and conventions – and the obligations that flow from those commitments – can guide actions and policies relating to digital cooperation and digital technology. The Panel’s Recommendation 3A urges the UN Secretary-General to begin a process that invites views from all stakeholders on how human rights can be meaningfully applied to ensure that no gaps in protection are caused by new and emerging digital technologies.

Such a process could draw inspiration from many recent national and global efforts to apply human rights for the digital age.106 Illustrative examples include

  • India’s Supreme Court has issued a judgement defining what the right to privacy means in the digital context.107
  • Nigeria’s draft Digital Rights and Freedom Bill tries to apply international human rights law to national digital realities.108
  • The Global Compact and UNICEF have developed guidance on how businesses should approach children’s rights in the digital age.109
  • UNESCO has used its Rights, Openness, Access and Multi-stakeholder governance (ROAM) framework to discuss AI’s implications for rights including freedom of expression, privacy, equality and participation in public life.110
  • The Council of Europe has developed recommendations and guidelines, and the European Court of Human Rights has produced case law, interpreting the European Convention on Human Rights in the digital realm.111

We must collectively ensure that advances in technology are not used to erode human rights or avoid accountability. Human rights defenders should not be targeted for their use of digital media.112 International mechanisms for human rights reporting by states should better incorporate the digital dimension.

In the digital age, the role of the private sector in human rights is becoming increasingly pronounced. As digital technologies and digital services reach scale so quickly, decisions taken by private companies are increasingly affecting millions of people across national borders.

The roles of government and business are described in the 2011 UN Guiding Principles on Business and Human Rights. Though not binding, they were unanimously endorsed by the Human Rights Council and the UN General Assembly. They affirm that while states have the duty to protect rights and provide remedies, businesses also have a responsibility to respect human rights, evaluate risk and assess the human rights impact of their actions.113

There is now a critical need for clearer guidance about what should be expected on human rights from private companies as they develop and deploy digital technologies. The need is especially pressing for social media companies, which is why our Recommendation 3B calls for them to put in place procedures, staff and better ways of working with civil society and human rights defenders to prevent or quickly redress violations.

As any new technology is developed, we should ask how it might inadvertently create new ways of violating rights – especially of people who are already often marginalised or discriminated against.

We heard from one interviewee that companies can struggle to understand local context quickly enough to respond effectively in fast-developing conflict situations and may welcome UN or other expert insight in helping them assess concerns being raised by local actors. One potential venue for information sharing is the UN Forum on Business and Human Rights, through which the Office of the High Commissioner for Human Rights in Geneva hosts regular discussions among the private sector and civil society.114

Civil society organisations would like to go beyond information sharing and use such forums to identify patterns of violations and hold the private sector to account.115 Governments also are becoming less willing to accept a hands-off regulatory approach: in the UK, for example, legislators are exploring how existing legal principles such as “duty of care” could be applied to social media firms.116

As any new technology is developed, we should ask how it might inadvertently create new ways of violating rights – especially of people who are already often marginalised or discriminated against. Women, for example, experience higher levels of online harassment than men.117 The development of personal care robots is raising questions about the rights of elderly people to dignity, privacy and agency.118

The rights of children need especially acute attention. Children go online at ever younger ages, and under-18s make up one-third of all internet users.119 They are most vulnerable to online bullying and sexual exploitation. Digital technologies should promote the best interests of children and respect their agency to articulate their needs, in accordance with the Convention on the Rights of the Child.

Online services and apps used by children should be subject to strict design and data consent standards. Notable examples include the American Children’s Online Privacy Protection Rule of 2013 and the draft Age Appropriate Design Code announced by the UK Information Commissioner in 2019, which defines standards for apps, games and many other digital services even if they are not intended for children.120

HUMAN DIGNITY, AGENCY AND CHOICE

We are delegating more and more decisions to intelligent systems, from how to get to work to what to eat for dinner.121 This can improve our lives, by freeing up time for activities we find more important. But it is also forcing us to rethink our understandings of human dignity and agency, as algorithms are increasingly sophisticated at manipulating our choices – for example, to keep our attention glued to a screen.122

It is also becoming apparent that ‘intelligent’ systems can reinforce discrimination. Many algorithms have been shown to reflect the biases of their creators.123 This is just one reason why employment in the technology sector needs to be more diverse – as noted in Recommendation 1C, which calls for improving gender equality.124 Gaps in the data on which algorithms are trained can likewise automate existing patterns of discrimination, as machine learning systems are only as good as the data that is fed to them.

Often the discrimination is too subtle to notice, but the real-life consequences can be profound when AI systems are used to make decisions such as who is eligible for home loans or public services such as health care.125 The harm caused can be complicated to redress.126 A growing number of initiatives, such as the Institute of Electrical and Electronics Engineers (IEEE)’s Global Initiative on Ethics of Autonomous and Intelligent Systems, are seeking to define how developers of artificial intelligence should address these and similar problems.127

Other initiatives are looking at questions of human responsibility and legal accountability – a complex and rapidly-changing area.128 Legal systems assume that decisions can be traced back to people. Autonomous intelligent systems raise the danger that humans could evade responsibility for decisions made or actions taken by technology they designed, trained, adapted or deployed.129 In any given case, legal liability might ultimately rest with the people who developed the technology, the people who chose the data on which to train the technology, and/or the people who chose to deploy the technology in a given situation.

These questions come into sharpest focus with lethal autonomous weapons systems – machines that can autonomously select targets and kill. UN Secretary-General António Guterres has called for a ban on machines with the power and discretion to take lives without human involvement, a position which this Panel supports.130

Gaps in the data on which algorithms are trained can likewise automate existing patterns of discrimination, as machine learning systems are only as good as the data that is fed to them.

The Panel supports, as stated in Recommendation 3C, the emerging global consensus that autonomous intelligent systems be designed so that their decisions can be explained, and humans remain accountable. These systems demand the highest standards of ethics and engineering. They should be used with extreme caution to make decisions affecting people’s social or economic opportunities or rights, and individuals should have meaningful opportunity to appeal. Life and death decisions should not be delegated to machines.

THE RIGHT TO PRIVACY

The right to privacy131 has become particularly contentious as digital technologies have given governments and private companies vast new possibilities for surveillance, tracking and monitoring, some of which are invasive of privacy.132 As with so many areas of digital technology, there needs to be a society-wide conversation, based on informed consent, about the boundaries and norms for such uses of digital technology and AI. Surveillance, tracking or monitoring by governments or businesses should not violate international human rights law.
 

It is helpful to articulate what we mean by “privacy” and “security”. We define “privacy” as being about an individual’s right to decide who is allowed to see and use their personal information. We define “security” as being about protecting data, on servers and in communication via digital networks.

Notions and expectations of privacy also differ across cultures and societies. How should an individual’s right to privacy be balanced against the interest of businesses in accessing data to improve services and government interest in accessing data for legitimate public purposes related to law enforcement and national security?133

Societies around the world debate these questions heatedly when hard cases come to light, such as Apple’s 2016 refusal of the United States Federal Bureau of Investigation (FBI)’s request to assist in unlocking an iPhone of the suspect in a shooting case.134 Different governments are taking different approaches: some are forcing technology companies to provide technical means of access, sometimes referred to as “backdoors”, so the state can access personal data.135 

Complications arise when data is located in another country: in ‎‎2013, Microsoft refused an FBI request to provide a suspect’s ‎emails that were stored on a server in Ireland. The United States ‎of America (USA) has since passed a law obliging American ‎companies to comply with warrants to provide data of American ‎citizens even if it is stored abroad.136 It enables other ‎governments to separately negotiate agreements to access their ‎citizens’ data stored by American companies in the USA. ‎

There currently seems to be little alternative to handling cross-‎border law enforcement requests through a complex and slow-‎moving patchwork of bilateral agreements – the attitudes of ‎people and governments around the world differ widely, and the ‎decision-making role of global technology companies is ‎evolving. Nonetheless, it is possible that regional and ‎multilateral arrangements could develop over time. ‎

For individuals, what companies can do with their personal data ‎is not just a question of legality but practical understanding – to ‎manage permissions for every single organisation we interact ‎with would be incredibly time consuming and confusing. How to ‎give people greater meaningful control over their personal data ‎is an important question for digital cooperation. ‎

Alongside the right to privacy is the important question of who ‎realises the economic value that can be derived from personal ‎data. Consumers typically have little awareness of how their ‎personal information is sold or otherwise used to generate ‎economic benefit. ‎

There are emerging ideas to make data transactions more ‎explicit and share the value extracted from personal data with ‎the individuals who provide it. These could include business ‎models which give users greater privacy by default: promising ‎examples include the web browser Brave and the search engine ‎DuckDuckGo.137 They could include new legal structures: the ‎UK138 and India139 are among countries exploring the idea of a ‎third-party ‘data fiduciary’ who users can authorise to manage ‎their personal data on their behalf. ‎

3.2 TRUST AND SOCIAL COHESION

The world is suffering from a “trust deficit disorder”, in the words of the UN Secretary-General addressing the UN General Assembly in 2018.140 Trust among nations and in multilateral processes has weakened as states focus more on strategic competition than common interests and behave more aggressively. Building trust, and underpinning it with clear and agreed standards, is central to the success of digital cooperation.

Digital technologies have enabled some new interactions that promote trust, notably by verifying people’s identities and allowing others to rate them.141 Although not reliable in all instances, such systems have enabled many entrepreneurs on e-commerce platforms to win the trust of consumers, and given many people on sharing platforms the confidence to invite strangers into their cars or homes.

In other ways, digital technologies are eroding trust. Lies can now spread more easily, including through algorithms which generate and promote misinformation, sowing discord and undermining confidence in political processes.142 The use of artificial intelligence to produce “deep fakes” – audio and visual content that convincingly mimics real humans – further complicates the task of telling truth from misinformation.143

Violations of privacy and security are undermining people’s trust in governments and companies. Trust between states is challenged by new ways to conduct espionage, manipulate public opinion and infiltrate critical infrastructure. While academia has traditionally nurtured international cooperation in artificial intelligence, governments are incentivised to secrecy by awareness that future breakthroughs could dramatically shift the balance of power.144

The trust deficit might in part be tackled by new technologies, such as training algorithms to identify and take down misinformation. But such solutions will pose their own issues: could we trust the accuracy and impartiality of the algorithms? Ultimately, trust needs to be built through clear standards and agreements based on mutual self-interest and values and with wide participation among all stakeholders, and mechanisms to impose costs for violations.

 

How can trust be promoted in the digital age?

The problem of trust came up repeatedly in written contributions to the Panel. Microsoft’s contribution stressed that an atmosphere of trust incentivises the invention of inclusive new technologies. As Latin American human rights group Derechos Digitales put it, “all participants in processes of digital cooperation must be able to share and work together freely, confident in the reliability and honesty of their counterparts”. But how can trust be promoted? We received a large number of ideas:
Articulating values and principles that govern technology development and use. Being transparent about decision-making that impacts other stakeholders, known vulnerabilities in software, and data breaches. Governments inviting participation from companies and civil society in discussions on regulation. Making real and visible
efforts to obtain consent and protect data, including “security-bydesign” and “privacy-by-design” initiatives.149

Accepting oversight from a trusted third-party: for the media, this could be an organisation that fact-checks sources; for technology companies, this could be external audits of design, deployment and internal audit processes; for governments, this could be reviews by human rights forums.

Understanding the incentive structures that erode trust, and finding ways to change them: for example, requiring or pressuring social media firms to refuse to run adverts which contain disinformation, de-monetise content that contains disinformation, and clearly label sponsors of political adverts.150

Finally, digital cooperation itself can be a source of trust. In the Cold War, small pools of shared interest – non-proliferation or regional stability – allowed competitors to work together and paved the way for transparency and confidence-building measures that helped build a modicum of trust.151 Analogously, getting multiple stakeholders into a habit of cooperating on issues such as standard-setting and interoperability, addressing risks and social harm and collaborative application of digital technologies to achieve the SDGs, could allow trust to be built up gradually.

 

 

All citizens can play a role in building societal resilience against ‎the misuse of digital technology. We all need to deepen our ‎understanding of the political, social, cultural and economic ‎impacts of digital technologies and what it means to use them ‎responsibly. We encourage nations to consider how educational ‎systems can train students to thoughtfully consider the sources ‎and credibility of information. ‎

All citizens can play a role in building societal resilience against the misuse of digital technology. We all need to deepen our understanding of the political, social, cultural and economic impacts of digital technologies and what it means to use them responsibly.

There are many encouraging instances of digital cooperation being used to build individual capacities that will collectively make it harder for irresponsible use of digital technologies to erode societal trust.145 Examples drawn to the Panel’s attention by written submissions and interviews include:

  • The 5Rights Foundation and British Telecom developed an initiative to help children understand how the apps and games they use make money, including techniques to keep their attention for longer.146
  • The Cisco Networking Academy and United Nations Volunteers are training youth in Asia and Latin America to explore how digital technologies can enable them to become agents of social change in their communities.147
  • The Digital Empowerment Foundation is working in India with WhatsApp and community leaders to stop the spread of misinformation on social media.148

3.3 SECURITY

Global security and stability are increasingly dependent on digital security and stability. The scope of threats is growing. Cyber capabilities are developing, becoming more targeted, more impactful on physical systems and more insidious at undermining societal trust.

“Cyber attacks” and “massive data fraud and threat” have ranked for two years in a row among the top five global risks listed by the World Economic Forum (WEF).152 More than 80% of the experts consulted in the WEF’s latest annual survey expected the risks of “cyber-attacks: theft of data/money” and “cyber-attacks: disruption of operations and infrastructure” to increase yearly.153

Three recent examples illustrate the concern. In 2016, hackers stole $81 million from the Bangladesh Central Bank by manipulating the SWIFT global payments network.154 In 2017, malware called “NotPetya” caused widespread havoc – shipping firm Maersk alone lost an estimated $250 million.155 In 2018, by one estimate, cybercriminals stole $1.5 trillion – an amount comparable to the national income of Spain.156

Accurate figures are hard to come by as victims may prefer to keep quiet. But often it is only publicity about a major incident that prompts the necessary investments in security. Short-term incentives generally prioritise launching new products over making systems more robust.157

The range of targets for cyber-attacks is increasing quickly. New internet users typically have low awareness of digital hygiene.158 Already over half of attacks are directed at “things” on the Internet of Things, which connects everything from smart TVs to baby monitors to thermostats.159 Fast 5G networks will further integrate the internet with physical infrastructure,
likely creating new vulnerabilities.160

The potential for cyber-attacks to take down critical infrastructure has been clear since Stuxnet was found to have penetrated an Iranian nuclear facility in 2010.161 More recently concerns have widened to the potential risks and impact of misinformation campaigns and online efforts by foreign governments to influence democratic elections, including the 2016 Brexit vote and the American presidential election.162
 

Other existing initiatives on digital security

The Paris Call for Trust and Security in Cyberspace is a multi-stakeholder initiative launched in November 2018 and joined by 65 countries, 334 companies – including Microsoft, Facebook, Google and IBM – and 138 universities and non-profit organisations. It calls for measures including coordinated disclosure of technical vulnerabilities. Many leading technology powers, such as the USA, Russia, China, Israel and India – have not signed up.173

The Global Commission on Stability in Cyberspace, an independent multi-stakeholder platform, is developing proposals for norms and policies to enhance international security and stability in cyberspace. The commission has introduced a series of norms, including calls for agreement not to attack critical infrastructure and non-interference in elections, and is currently discussing accountability and the future of cybersecurity.

The Global Conference on Cyberspace, also known as the ‘London Process’, are ad hoc multi-stakeholder conferences held so far in London (2011), Budapest (2012), Seoul (2013), The Hague (2015) and New Delhi (2017). The Global Forum on Cyber Expertise, established after the 2015 Conference, is a platform for identifying best practices and providing support to states, the private sector and organisations in developing cybersecurity frameworks, policies and skills.

The Geneva Dialogue on Responsible Behaviour in Cyberspace provides another forum for multi-stakeholder consultation.

The Cybersecurity Tech Accord and the Charter of Trust are examples of industry-led voluntary initiatives to identify guiding principles for trust and security, strengthen security of supply chains and improve training of employees in cybersecurity.174

Compared to physical attacks, it can be much harder to prove from which jurisdiction a cyber-attack originated. This makes it difficult to attribute responsibility or use mechanisms to cooperate on law enforcement.163

Perceptions of digital vulnerability and unfair cyber advantage are contributing to trade, investment and strategic tensions.164 Numerous countries have set up cyber commands within their militaries.165 Nearly 60 states are known to be pursuing offensive capabilities.166 This increases the risks for all as cyber weapons, once released, can be used to attack others – including the original developer of the weapon.167

As artificial intelligence advances, the tactics and tools of cyber-attacks will become more sophisticated and difficult to predict – including more able to pursue highly customised objectives, and to adapt in real time.168

Many governments and companies are aware of the need to strengthen digital cooperation by agreeing on and implementing international norms for responsible behaviour, and important progress has been made especially in meetings of groups of governmental experts at the UN.169
The UN Groups of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security have been set up by resolutions of the UN General Assembly at regular intervals since 1998. Decisions by the GGE are made on the basis of consensus, including the decision on the final report.170 The 2013 GGE on Developments in the Field of Information and Telecommunications in the Context of International Security agreed in its report that international law applies to cyberspace (see text box).171 This view was reaffirmed by the subsequent 2015 GGE, which also proposed eleven voluntary and non-binding norms for states.172 The UN General Assembly welcomed the 2015 report and called on member states to be guided by it in their use of information and communications technologies. This marks an important step forward in building cooperation and agreement in this increasingly salient arena.

DIGITAL COOPERATION ON CYBERSECURITY

The pace of cyber-attacks is quickening. Currently fragmented efforts need rapidly to coalesce into a comprehensive set of common principles to align action and facilitate cooperation that raises the costs for malicious actors.175

Private sector involvement is especially important to evolving a common approach to tracing cyber-attacks: assessing evidence, context, attenuating circumstances and damage. We are encouraged that the 2019 UN GGE176 and the new Open-Ended Working Group (OEWG)177 which deal with behaviour of states and international law, while primarily a forum for inter-governmental consultations, do provide for consultations with stakeholders other than governments, mainly regional organisations.

In our Recommendation 4, we call for a multi-stakeholder Global Commitment on Digital Trust and Security to bolster these existing efforts. It could provide support in the implementation of agreed norms, rules and principles of responsible behaviour and present a shared vision on digital trust and security. It could also propose priorities for further action on capacity development for governments and other stakeholders and international cooperation.

The Global Commitment should coordinate with ongoing and emerging efforts to implement norms in practice by assisting victims of cyber-attacks and assessing impact. It may not yet be feasible to envisage a single global forum to house such capabilities, but there would be value in strengthening cooperation among existing initiatives.

Another priority should be to deepen cooperation and information sharing among the experts who comprise national governments’ Computer Emergency Response Teams (CERTs). Examples to build on here include the Oman-ITU Arab Regional Cybersecurity Centre for 22 Arab League countries,178 the EU’s Computer Security Incident Response Team (CSIRT)s Network,179 and Israel’s Cyber Net, in which public and private teams work together. Collaborative platforms hosted by neutral third parties such as the Forum of Incident Response and Security Teams (FIRST) can help build trust and the exchange of best practices and tools. 

The pace of cyber-attacks is quickening. Currently fragmented efforts need rapidly to coalesce into a comprehensive set of common principles to align action and facilitate cooperation that raises the costs for malicious actors.

Digital cooperation among the private sector, governments and international organisations should seek to improve transparency and quality in the development of software, components and devices.180 While many best practices and standards exist, they often address only narrow parts of a vast and diverse universe that ranges from talking toys to industrial control systems.181 Gaps exist in awareness and application. Beyond encouraging a broader focus on security among developers, digital cooperation should address the critical need to train more experts specifically in cybersecurity:182 by one estimate, the shortfall will be 3.5 million by 2021.183