THE USE OF DIGITAL TECHNOLOGY BY HRDS IS BEING CRIMINALISED WHILE TRADE IN SURVEILLANCE MALWARE IS HAPPENING ON A GLOBAL SCALE
The internet gives us some odd contradictions and reversals. On the one hand, we see sharing platforms like Uber and AirBnB comparing their business models to the activism of civil rights heroes like Rosa Parks and Gandhi. At the same time, the legal foundation for actual civil rights activism is being restricted and the digital spaces upon which HRDs rely is being monitored. Furthermore, these groups’ use of protective security and privacy technologies is being criminalised. The United Nations Special Rapporteur on Privacy and Amnesty International have both identified digital technology — and privacy enhancing technologies in particular — as critical to the defense of human rights. And yet groups like Hacking Team are selling surveillance malware that allows governments to spy on and entrap activists. And there are no laws capable of regulating this behaviour.
The most absurd reversal in the Hacking Team story has to do with the normalisation of mass surveillance and the frequency with which activists are targeted. The trade in arms is visible, and creates considerable social, economic and cultural strife by disrupting and endangering the safety and well-being of entire communities. The trade in digital weapons, such as the surveillance tools trafficked by companies like Hacking Team, is much less visible. And, while this industry may not be disruptive on the same scale, its existence is of great concerns to us here. Whereas the trade in arms is associated with situations of war and conflict, the trade in digital arms is being portrayed as integral to peace building and security. This is the rationale we are given for mass surveillance: states need to surveil digital communications in the interests of protecting their populations.
UNDERSTANDING DIGITAL SECURITY AND PRIVACY IS DIFFICULT. EDUCATING OTHERS ON THE TOPIC IS EVEN MORE CHALLENGING. BOTH JUST GOT HARDER.
The scale of Hacking Team’s work and the size of its clientele have lead us to reflect on user education about digital security and privacy. The Hacking Team leaks suggest that those who want to monitor or disrupt the work of HRDs are well armed with relatively advanced malware that, once installed, renders irrelevant many of the privacy enhancing technologies to which HRDs have access. Furthermore, at least some of this malware is built around previously undisclosed “zero-day” vulnerabilities, which means that traditional anti-malware tools are of limited use even if they are installed, configured and updated properly.
Considerations like this emphasize the importance of adopting a behavioural approach to digital security and privacy rather than relying solely on tools to keep us safe. Education, training and self-learning initiatives should reflect this by focusing on robust, agile, responsive information management practices tailored to the context of the participant or beneficiary. Such work flows will often depend on a baseline familiarity with traditional tools and tactics, but this level of mastery should be considered a dependency for the real capacity building. At the same time, applied research we have been conducting here at Tactical Tech suggests that the adoption of digital security and privacy practices is contingent upon a number of factors that go well beyond pedagogical best-practices, factors that range from the socio-cultural to the geo-political. (We intend to publish these findings soon, so stay tuned.)
Despite the inherent challenges, Tactical Tech and other capacity building NGOs should continue to emphasize the behavioural aspects of digital security and privacy, as they are often the weakest link for HRDs. And for others! Hacking Team itself serves as a cautionary tale in this respect. Consistent, habitual creation and maintenance of strong passwords — and the adoption of two-factor authentication where available — are often considered the first line of defence against digital security and privacy threats. Perhaps if the employees of Hacking Team had internalised this knowledge, rather than relying on passwords like “Passw0rd”, they would not have gotten hacked.
THREAT MODELLING FOR HRDS MUST EVOLVE
In most lines of work, assessing risks and barriers is a common practice. HRDs have to do this constantly as the threats they face and the environments in which they work are extremely volatile. In human rights defence, traditional risk assessment and threat modeling practice comes from a history of strategising in and through conflict. We need to problematise this starting point (even as we recognise that, for many people around the world, conflict is the lived reality and therefore the only real starting point for anything). The Hacking Team leaks reveal the extensive scale of the surveillance being developed and deployed against HRDs. How are we to think about strategy and risk management in this context? This is a good moment to reflect on how we might focus more attention on, and dedicate more resources to, the improvement of threat modeling methodologies for activists. This effort should include an investigation of the surveillance and malware industries and the incorporation of those findings into HRD security and privacy education. It is likely that we will continue to see a trend toward targeted surveillance of specific individuals and organisations — in addition to mass surveillance of entire populations — and the resources required to address this sort of surveillance are considerable.
LAWS DESIGNED TO PROTECT HRDS, ACTIVISTS AND CIVIL SOCIETY ARE BEING UNDERMINED
The fact that States are buying digital arms to use against HRDs is problematic from a policy perspective as well. There are no laws that restrict or regulate the ability of government to buy such technologies, nor are the relevant markets subject to the most basic transparency or accountability requirements. (Though organisations like Privacy International are working to change this.) While surveillance may be justified under certain circumstances, it must be accountable to the rule of law and subject to meaningful transparency and due process. The Hacking Team leaks reveal a far darker reality with respect to the relationship between states and their own laws, laws that exist to ensure the viability of opposition voices and protect HRDs. As a result, it is difficult to imagine how HRDs could exercise their rights within a democratic process. Furthermore, while there is clearly a legal vacuum here, filling it with arbitrary regulation is not the answer. In the absence of public debate, and in a context where the ‘national security’ argument trumps all, it is unlikely that such regulation would favor the interests of human rights defenders.