I IntroductionFootnote ¹

The meaning of the human right to privacy is evolving in response to developments in communications technology and an increasingly connected world in which data transits national boundaries imperceptibly. Although governments have had the capacity to access and store unprecedented quantities of digital communications data for some time, high-profile terrorist attacks and expanding transnational criminal activity have provided a strong motive to continue and expand these activities. When Edward Snowden revealed the global scope of existing communications surveillance capacity, states and civil society organizations turned to international law to seek clarity on how the right to privacy protects individuals, preserves legitimate state interests, and addresses the realities of the large-scale collection of data across traditional borders.

The tribunals and experts who interpret international human rights law have developed a rich body of standards on the right to privacy in communications, with European institutions leading the way. These standards address much of the present-day collection and use of digital communications, but significant gaps still exist. Until recently, there were few clear norms regarding the bulk collection of communications data, the responsibility of private companies to respect privacy rights, and the rules and protections that apply when communications data crosses borders.

This chapter explores the evolution of the right to privacy as it is established in international human rights law, and the ways in which human rights law is beginning to bridge these gaps. The first part provides an overview of the right to privacy and highlights developments in the digital age that international human rights law must urgently address. The second part outlines the scope and meaning of the right to privacy in communications as it appears in international human rights treaties and in interpretations of these treaties by international tribunals and experts. The chapter then examines how European institutions are interpreting data protection law in a way that seeks to bridge some of the gaps in privacy protection that have formed in international human rights law. The chapter concludes by describing the incipient steps that UN and European institutions are taking to address the privacy challenges presented by the seamless flow of data across borders.

II The Evolution of the Right to Privacy and Its Present Challenges

III Human Rights Law and Privacy in Digital Communications

The language of human rights treaties is general, and it falls to international tribunals, human rights mandate holders, expert bodies, and national courts to interpret the scope and meaning of a right. The European Court of Human Rights defines the obligations of the forty-seven contracting parties of the European Convention on Human Rights. Interpretations of the ICCPR, in turn, are generated by UN bodies including the International Court of Justice (ICJ), the Human Rights Committee, special mandate holders, and the Office of the High Commissioner for Human Rights (but only the decisions of the ICJ are legally binding on parties). The Court of Justice of the European Union has also begun to interpret the rights to privacy and data protection as contained in the EU Charter of Fundamental Rights. The Inter-American Commission and Inter-American Court of Human Rights interpret the American Convention on Human Rights. Consistent with the principle that human rights are universal, these entities draw on one another’s interpretations of rights and have thereby begun generating a fairly uniform body of international law on the right to privacy.

IV Data Protection and the Right to Privacy

While human rights law sets out the obligations of states that are parties to human rights treaties, data protection laws and principles regulate practices of both state and private actors that can affect the right to privacy. The protection of personal information has historically been regarded as a component of the right to privacy,Footnote ¹⁰¹ yet with the adoption of the Charter of Fundamental Rights of the European Union in 2009, data protection became a distinct fundamental right in Europe.Footnote ¹⁰² UN Special Rapporteur Martin Scheinin has opined that a right to data protection is emerging at a global level as well.Footnote ¹⁰³ While it is not recognized as such in human rights treaties outside of Europe, interpretations of data protection law that are closely tied to international human rights standards may convert this body of law into an effective tool for protecting rights at the domestic and international levels.

In terms of international law and guidelines, data protection principles are contained in the Council of Europe’s Data Protection Convention,Footnote ¹⁰⁴ the OECD Privacy Framework,Footnote ¹⁰⁵ and the Asia Pacific Economic Cooperation Privacy Framework.Footnote ¹⁰⁶ They are reflected in the newly adopted EU General Data Protection Regulation, which applies in the 28 EU member states, and in the proposed EU Regulation on Privacy and Electronic Communications.Footnote ¹⁰⁷ They include the principles that the collection and use of personal data – including communications data – should be in accordance with the law, subject to limitations, and strictly for the fulfillment of purposes that are clearly articulated to the data subject. Data should be deleted when it is no longer necessary for the purposes that justified collection. The entity collecting personal data should only disclose that data to other parties by the authority of the law or if the data subject has consented. Individuals should have notice about, and a measure of control over, the ways in which their data is collected, used, and shared, as well as ways to hold states and private actors accountable for violations.Footnote ¹⁰⁸ These principles echo the international human rights standards laid out in the previous section, and they form the basis of strong domestic data protection laws in states such as Canada, Argentina, Israel, and Japan.Footnote ¹⁰⁹

The Court of Justice of the European Union (CJEU) has interpreted EU data-protection law in light of the rights to privacy and data protection established in the EU Charter of Fundamental Rights, and its recent decisions have had sweeping impacts on public and private actors in Europe and beyond its borders. In 2014, the CJEU ruled that an EU law that allowed member states to mandate the storage of communications metadata for periods of between six months and two years was inconsistent with the rights to data protection and privacy.Footnote ¹¹⁰ According to the CJEU, telephony metadata “may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.” It determined that the retention of data of persons who were not linked to crimes was problematic, and the legal framework lacked clear rules as to how authorities should access and use that data.Footnote ¹¹¹

The CJEU reiterated its holding in Tele2 Sverige, indicating that “the general and indiscriminate retention of all traffic and location data” was not strictly necessary to achieve the aim of fighting serious crime and terrorism.Footnote ¹¹² It added that member states’ laws could permit the targeted retention of metadata for the purpose of fighting serious crime; they could also permit the retention of data from one or more geographical areas where “objective evidence” demonstrates a clear link “to fighting serious crime or to preventing a serious risk to public security.”Footnote ¹¹³ These holdings are consistent with Weber and Saravia, S. and Marper, and other case law of the European Court of Human Rights,Footnote ¹¹⁴ but unlike the latter judgments, they could be implemented immediately by private actors, who were no longer subject to the retention mandate. As such, the judgments had the practical effect of limiting the amount of data accessible to state authorities for surveillance.

In the Google Spain case, the CJEU further demonstrated the capacity of data-protection law to regulate the privacy practices of non-state actors. The CJEU held that search engine providers must respond to requests from individuals to de-index their names from search results. Such requests must be honored when the information linked to their names is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue,” unless the public interest in finding this information is determined to outweigh the individual’s privacy rights.Footnote ¹¹⁵ Several civil society organizations have argued that the decision improperly placed private companies in the role of public authorities charged with balancing rights and interests. The counterpoint is that perhaps any actor that can impact an individual’s fundamental rights, as defined in the EU Charter, should assume this level of responsibility.

By providing an explicit legal link between the practices of some of the largest multinational corporations and human rights, EU law creates more opportunities for individuals to challenge the practices of large entities. Similarly, it increases the power of European authorities to regulate these companies, both in Europe and abroad. The CJEU’s decisions may also help to define the scope of companies’ responsibility to respect users’ privacy rights, a topic that is explored in greater depth in Chapter 11 of this volume.Footnote ¹¹⁶

As human rights norms become a greater foundation for data protection law, EU authorities are also increasingly applying the latter to data that crosses international borders. The next section examines how the challenge of cross-border data flows is gradually being met by developments in both international human rights law and EU data protection law. It also notes the outstanding dilemmas to which neither body of law has definitively spoken yet.

V Ensuring the Right to Privacy Extraterritorially

The privacy protections contained in human rights law have traditionally addressed states’ conduct regarding their subjects’ data within their own borders. But digital communications flow seamlessly across borders, challenging traditional paradigms of jurisdiction over individuals and information.Footnote ¹¹⁷ This means that privacy protections may be illusory when governments with sophisticated surveillance capabilities can access the communications data of people who are not subject to their jurisdiction.

VI Conclusion

Developments in communications technology, coupled with revelations by Edward Snowden and others, have demonstrated that while human rights law has a well-developed body of standards on the right to privacy in communications, there are key areas where these standards fall short. The bulk collection of communications data seems generally permitted but circumscribed in human rights law, although few states appear to conduct such surveillance in accordance with these limits. Rules regarding the protections that apply to communications and other personal data when they are in the hands of private companies or when they transit borders are evolving, but at present are incomplete.

The most impactful recent development in this space may be the interpretation of EU data protection law in a way that incorporates or converges with the right to privacy. EU institutions are using data protection norms and enforcement mechanisms to give individuals stronger protections against the public and private actors that access their communications, regardless of location. This approach has the potential to contribute to stronger privacy protections beyond Europe, as its norms are increasingly replicated by other states seeking determinations of adequacy. Ideally, the European approach will also prompt UN mechanisms and governments to come together to devise more global solutions for the protection of privacy in the digital age, with international human rights law as their foundation.

I Introduction

The UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression recently stated that the Internet has become the central global public forum with profound value for human rights.Footnote ¹ In this global public forum, control over infrastructure and services is largely in the hands of companies, with some of the most powerful being from the United States. To participate in the online sphere, individuals must engage with online platforms such as Google and Facebook and rely on them for exercising rights and freedoms such as freedom of expression, freedom of information, and freedom of assembly.

In this sense, these companies have increasing power to influence rights in the online domain. The power of the major platforms flow from their control over a wide range of resources crucial to information search and public participation in the online realm. In 2013, The New York Times had a print and digital circulation of nearly two million and claimed to be the most visited newspaper site, with nearly thirty-one million unique visitors every month. YouTube, in contrast, had one billion unique visitors a month in 2014, or as many in a day as The New York Times has in a month.Footnote ² In terms of company valuations, as of April 2014 The Times’s market value was around 1 percent of the value of Facebook or Google.Footnote ³ By the end of 2015, Facebook had more than 1.6 billion users a monthFootnote ⁴ and Google more than one billion searches a month.Footnote ⁵

Online platforms are used every day by billions of people to express themselves and to comment on, debate, critique, search, create, and share views and content. As such, the Internet’s distributed architecture and the decrease in communications costs have fundamentally altered the capacity of individuals to be active participants in the public sphere. On a positive note, this networked public sphere facilitates new means for civic engagement, public participation, social change, and countering repressive governments.Footnote ⁶ On a more cautious note, scholars have warned that the new infrastructure for exercising freedom of expression carries with it new modalities of interference with fundamental rights, and that adequate legal responses have yet to be found.Footnote ⁷

One area of concern – not least among legal scholars, data protection authorities, and groups set up to protect fundamental rights on the InternetFootnote ⁸ – is the privatized law enforcement and self-regulatory measures of these corporate platforms. The concern is particularly related to the platforms’ means of “content regulation” and privacy practices; for example, their day-to-day decisions on which content to remove or leave up, and the extent to which they collect, process, and exchange personal data with third parties.Footnote ⁹ Several cases in the United States and Europe have addressed this concern, and new cases continue to appear.Footnote ¹⁰ Scholars have also warned of a governance gap, where private actors with strong human rights impacts operate within the soft regime of guidelines and corporate social responsibility with no direct human rights obligations.Footnote ¹¹ International human rights law is binding on states only, and despite an increasing take-up of human rights discourse within Internet companies, their commitment remains voluntary and nonbinding. In addition, limited information is available in the public domain concerning the corporate practices that affect freedom of expression and privacy.

Although a part of public discourse has always unfolded within private domains, from coffeehouses to mass media, the current situation is different in scope and character. In the online realm, the vast majority of social interactions, discussions, expressions, and controversies take place on platforms and services provided by private companies. As such, an increasing portion of our sociality is conducted in privately owned spaces. In addition, these practices are entangled in a business model in which the conversations and interactions that make up online life are directly linked to revenue. This arguably represents yet another stage of the trend of privatization. Prior examples include the dominance of corporate-owned media over the civic public sphere, the outsourcing of government functions to private contractors, and the reduction of public spaces to malls and privately owned town squares.Footnote ¹² However, the increasing significance of online platforms for public life gives rise to a large number of unresolved questions related to the techno-social design, regulation, and human rights impact of these companies as “curators of public discourse.”Footnote ¹³

As several scholars have argued, these online platforms have an enormous impact on human rights globally through the policies they adopt for their users. Within “Facebookistan” and “Twitterland,”Footnote ¹⁴ these polices have just as much validity as traditional legal rules and standards.Footnote ¹⁵ Moreover, the companies have wide discretion in enforcing the policies, as they weigh potential precedents, norms, competing interests, and administrability in developing the rules of expression and privacy that effectively govern their users worldwide. Arguably, Google’s lawyers and executives have as much power to determine who may speak and who may be heard around the world than does any president, king, or Supreme Court justiceFootnote ¹⁶ – or, as expressed by Marvin Ammori, “Technology lawyers are among the most influential free expression lawyers practicing today.”Footnote ¹⁷ At the same time, the core business of these companies is built around expression, and most of them talk about their business in the language of freedom of expression and freedom of information. Google’s official mission is “to organize the world’s information and make it universally accessible and useful.”Footnote ¹⁸ Twitter stresses that its goal is “to instantly connect people everywhere to what is most meaningful to them. For this to happen, freedom of expression is essential.”Footnote ¹⁹ Twitter also states that tweets must flow as a default principle. Facebook’s vision is to “give people the power to share and make the world more open and connected.”Footnote ²⁰

In relation to privacy, the online infrastructure of free expression is increasingly merging with the infrastructure of content regulation and surveillance. The technologies, institutions, and practices that people rely on to communicate with one another are the same technologies, institutions, and practices that public and private parties employ for surveillance.Footnote ²¹ The online infrastructure simultaneously facilitates and controls freedom of expression, surveillance, and data mining. As such, it has become a new target for governments and corporate interests alike.

Since 2009, several of the major Internet companies have upgraded and formalized their human rights commitment. Most notably this has been via industry initiatives, such as the Global Network Initiative, that focus on a company’s compliance with international human rights standards on privacy and freedom of expression.Footnote ²² Also, as Lisl Brunner points out in Chapter 10, in the wake of the NSA contractor Edward Snowden’s revelations of state surveillance, there has been increasing public focus on the exchange of personal data between Internet companies and government agencies. As a result, several companies have started to publish transparency reports to document (at an aggregated level) the numbers and types of content removal requests they receive and accommodate.Footnote ²³ Despite these efforts, there is still limited public knowledge of companies’ internal mechanisms of governance; e.g., how they decide cases with freedom of expression implications or how they harness user data.Footnote ²⁴ As illustrated by a number of cases in the European Union as well as in Europe more broadly, a number of human rights related practices continue to cause concern among scholars and regulators alike.Footnote ²⁵

Using the example of Internet companies, this chapter will critically examine current challenges related to human rights protection in the online domain. This will include questions such as: How shall we understand the role of Internet companies vis-à-vis freedom of expression? What does human rights law – and soft law such as the UN Guiding Principles on Business and Human Rights – say about private actors and their human rights responsibilities? How have major Internet companies taken up these challenges in their discourse and practices? What are some of the dynamics that work for or against stronger human rights protection online? And are the frameworks that currently govern the activities of these Internet companies sufficient to provide the standards and mechanisms needed to protect and respect human rights online?

II The Role of Internet Companies in the Online Domain

Over the past ten years, the Internet’s potential positive and negative impacts on human rights have been iterated time and again by the UN World Summit on the Information Society,Footnote ²⁶ the UN Human Rights Council,Footnote ²⁷ and UN thematic rapporteurs.Footnote ²⁸ The former UN Special Rapporteur on the Promotion and Protection of Freedom of Opinion and Expression, Frank La Rue, for example, has emphasized the unprecedented opportunity presented by the Internet to expand the possibilities for individuals to exercise a wide range of human rights, with freedom of opinion and of expression as prominent examples.Footnote ²⁹ Special Rapporteur La Rue also expressed concerns about the multiple measures taken by states to prevent or restrict the flow of information online, and he highlighted the inadequate protection of the right to privacy on the Internet.Footnote ³⁰ Of specific relevance to this chapter is his emphasis on the way private actors may contribute to violating human rights online, given that Internet services are run and maintained by companies.Footnote ³¹ In parallel to this, policy reports and scholarship have increasingly addressed the specific challenges related to human rights protection in the online domain.Footnote ³²

It is now widely recognized that access to the Internet and participation in discourse through the Internet have become integral parts of democratic life. What is less debated is the fact that facilitating this democratic potential critically relies on private actors. Access to the Internet takes place through Internet service providers, information search is facilitated by search engines, social life plays out via online platforms, and so on. Despite the increasing role that these private actors play in facilitating democratic experience online, the governance of this social infrastructure has largely been left to companies to address through corporate social responsibility frameworks, terms of service, and industry initiatives such as the Global Network Initiative.Footnote ³³ Moreover, there is limited research critically assessing the frameworks that govern the activities of these Internet companies and questioning whether they are sufficient to provide the standards and compliance mechanisms needed to protect and respect human rights online.

The Internet’s democratic potential is rooted in its ability to promote “a culture in which individuals have a fair opportunity to participate in the forms of meaning making that constitute them as individuals.”Footnote ³⁴ Democratic culture in this sense is more than political participation; it encompasses broad civic participation where anyone, in principle, may participate in the production and distribution of culture. This democratic potential is linked to the Internet’s ability to provide its users with unprecedented access to information and to decentralized means of political and cultural participation.Footnote ³⁵ By decentralizing the production of content, supplementing mass media with new means of self-expression, and enabling collective action across borders, the Internet has the potential to be a more participatory public sphere. This potential has been widely addressed in the body of literature that considers the Internet as a new or extended public sphere, yet with limited evidence of the actual democratic impact of these new modalities.Footnote ³⁶ Moreover, the democratic implications of having private actors with no public interest mandate controlling the sphere is still not sufficiently clear, yet several challenges surface.

III Human Rights Law and Private Actors

Human rights law is state-centric in nature in the sense that states – not individuals, not companies – are the primary duty bearers. Legally speaking, only the state can be brought before a human rights court, such as the European Court of Human Rights, and examined for alleged human rights violations. Part of this obligation, however, is a duty upon the state to ensure that private actors do not violate human rights, referred to as the horizontal effect of human rights law. National regulation related to labor rights or data protection, for example, serves as machinery for enforcing human rights standards in the realm of private parties.

Whereas human rights law is focused on the vertical relation (state obligations to the individual), it recognizes the horizontal effect that may arise in the sphere between private parties.Footnote ⁵² The horizontal effect implies a state duty to protect human rights in the realm of private parties, for example, via industry regulation. A large amount of the literature related to online freedoms has been occupied with new means of state interference with human rights, for example, through new means of restricting content, engaging in surveillance, or involving Internet companies in law enforcement. These new means of state interference have been explored in several comprehensive studies, for example, by the Open Net InitiativeFootnote ⁵³ and by scholars such as Jack Balkin, who have examined the characteristics of “old-school” (pre-Internet) versus “new school” speech regulation. In contrast, less attention has been paid to the implications that arise in the sphere of horizontal relations, such as when companies, on their own initiative, remove content because it violates their terms of service, or when they exchange personal data with third parties as part of their business model. In the analysis that follows, emphasis will be on horizontal relations and the human rights duties and responsibilities that may be invoked in this realm.

Over the past decade, the interface between human rights law and private actors has been the focus of considerable attention, resulting in the adoption of broad soft law standardsFootnote ⁵⁴ and the launch of many multistakeholder initiatives, including the UN Global Compact. The UN Global Compact represents one of the core platforms for promoting corporate social responsibility (CSR), a concept that refers to a company’s efforts to integrate social and environmental concerns into its business operations and stakeholder interactions. According to the UN Global Compact’s framing of corporate social responsibility, businesses are responsible for human rights within their sphere of influence. While the sphere of influence concept is not defined in detail by international human rights standards, it tends to include the individuals to whom a company has a certain political, contractual, economic, or geographic proximity.Footnote ⁵⁵ Arguably, CSR has some normative base in the human rights discourse, but these rights have not been well integrated:

Even where CSR pays attention to human rights, it primarily addresses social and economic rights, in particular as it relates to working conditions and environmental and community impact, with limited attention to civil and political rights.Footnote ⁵⁷ The critique of the CSR framework that it was too limited in scope, with a focus on selected rights only, was one of the drivers of the work of John Ruggie, who served as the special representative to the secretary general on issues of human rights and transnational corporation from 2005 to 2011.

In 2011, Ruggie’s work culminated with an endorsement of the United Nations’ Guiding Principles on Business and Human Rights (UNGP).Footnote ⁵⁸ The UNGP provides a set of principles that states and businesses should apply to prevent, mitigate, and redress corporate-related human rights abuses. Contrary to the sphere of influence approach, the UNGP focuses on the potential and actual human rights impact of any business conduct.Footnote ⁵⁹ The UNGP elaborates the distinction that exists between the state duty to protect human rights and the corporate responsibility to respect human rights based on three pillars, often called the “Protect, Respect, and Remedy” framework. The first pillar (Protect) focuses on the role of the state in protecting individuals’ human rights against abuses committed by non-state actors; the second pillar (Respect) addresses the corporate responsibility to respect human rights; and the third pillar (Remedy) explores the roles of state and non-state actors in securing access to remedy. Ruggie’s report to the Human Rights Council, which provided the basis for the UNGP, explains:

The second pillar affords a central role for human rights due diligence by companies. Due diligence comprises four steps, taking the form of a continuous improvement cycle.Footnote ⁶¹ Companies must publish a policy commitment to respect human rights. As part of its due diligence process, a company must assess, using a human rights impact assessment, the actual and potential impacts of its business activities on human rights; remediate the findings of this assessment into company policies and practices; track how effective the company is in preventing adverse human rights impacts; and communicate publicly about the due diligence process and its results. Companies are expected to address all their impacts, though they may prioritize their actions. The UNGP recommends that companies first seek to prevent and mitigate their most severe impacts or those where a delay in response would make consequences irremediable.Footnote ⁶²

Since the corporate responsibility to respect human rights refers to all internationally recognized human rights, not just those in force in any one particular jurisdiction,Footnote ⁶³ human rights due diligence should encompass, at minimum, all human rights enumerated in the International Bill of Human Rights.Footnote ⁶⁴ The UNGP guidance on human rights impact assessments remains at a general level, without detailed descriptions of the process or orientation on how it should be adapted to particular industries. Various initiatives have since attempted to address this, which we will return to below.Footnote ⁶⁵

Whereas pillars one and three combine existing state obligations under international human rights law with soft law recommendations, pillar two is soft law only, reflecting the lack of direct human rights obligations for companies under international law.Footnote ⁶⁶ The debate on whether and how to create binding human rights obligations for companies has been ongoing for more than two decades, but there is little indication that companies will be bound by human rights law in the foreseeable future.Footnote ⁶⁷

With regard to the state duties, the UNGP reiterates two existing human rights obligations. First, states must protect against human rights abuses within their territory and jurisdiction by third parties,Footnote ⁶⁸ and second, states must provide individuals access to remedies for human rights abuses.Footnote ⁶⁹ According to the first obligation, the state is required to take appropriate steps to prevent, investigate, punish, and redress private actors’ human rights abuses that take place in its jurisdiction. Such steps include effective policies, legislation, and regulation; access to remedies; adjudication; and redress. The second obligation iterates that states must take appropriate steps to ensure that injured parties have access to effective remedies when business-related human rights abuses occur within the state’s territory or jurisdiction. This includes remedies provided via judicial, administrative, legislative, or other appropriate means.

In line with this, the case law of the European Court of Human Rights (ECtHR) confirms that states have an obligation to protect individuals against violations by business enterprises. This entails an obligation to protect individuals against violations by business enterprises as third parties as well as those acting as state agents. In the first case, the human rights violation is constituted by the state’s failure to take reasonable measures to protect individuals against abuse by business enterprises; in the latter, the abusive act of the business enterprise is attributed to the state, so that the state is considered to directly interfere with the rights at stake.Footnote ⁷⁰ The case law of the ECtHR on violations by business enterprises acting as state agents concerns both the case where the state owns or controls business enterprises and the case where private corporations exercise public functions through procurement contracts and privatization of public services.Footnote ⁷¹

Ruggie’s framework, which has been widely praised and endorsed by states as well as business enterprises, has also been criticized for its slow uptake, its ineffectiveness, and for not creating binding obligations on companies.Footnote ⁷² Yet, a hard-law punitive approach has also long had its skeptics, and numerous empirical studies have spoken to the significance of social factors, both internal and external, in affecting companies’ behavior.Footnote ⁷³

The UNGP has resulted in several follow-up initiatives at both the global and regional level. At the global level, a UN working group on human rights and transnational corporations and other business enterprises was established in June 2011 to promote the effective and comprehensive dissemination and implementation of the UNGP.Footnote ⁷⁴ After completing its initial three-year appointment in 2014, the group had its mandate extended for another three-year term.Footnote ⁷⁵ The group has, among other things, produced a “Guidance” on the development of national action plans on business and human rights.

At the European level, the European Commission has produced sector-specific guides on UNGP implementation in relation to three business sectors, including the information and communication technology (ICT) sector.Footnote ⁷⁶ The guide is not a legally binding document, but translates the expectations of the UNGP to the specifics of the business sector at a rather generic level. In relation to the ICT sector, the guide stresses that the right to privacy and to freedom of expression can be particularly impacted by companies in the ICT sector.Footnote ⁷⁷ The guide focuses on the state pressure that companies may be subjected to when they operate in contexts where the national legal framework does not comply with international human rights standards (i.e., a vertical conflict). In contrast, the negative human rights impact that may flow from the company’s governance of content or tracking of user behavior is not addressed, and, as such, the guide provides limited guidance on horizontal conflict (i.e., relations between private actors). This focus on the vertical conflict is also dominant in the Global Network Initiative (addressed below) and indicates that the human rights discourse by Internet companies tends to highlight push-back strategies against illegitimate government requests, with less attention being paid to the human rights impact of the company’s own actions.

This points to an unanswered question: What would human rights law and supplementary guidelines such as the UNGP say about the responsibility of private actors that potentially affects the rights of billions of individuals worldwide?

As stated above, states are obligated to prevent human rights violations by private actors, and private actors have a moral obligation to respect human rights. States cannot delegate their human rights obligations to a private party, and they are obligated to ensure that appropriate regulations result in human rights–compliant business practices. Moreover, each company has a responsibility to assess its actual human rights impact, i.e., the way that its operational practices, services, and products impact on its users’ human rights.

The state obligation to ensure human rights entails both a positive and negative element. It requires the state to refrain from certain conduct, but also to take positive steps to ensure the enjoyment of the right in question. Freedom of expression, for example, requires that the state refrain from engaging in censorship, but also that it – via national regulation – enables freedom of the press.Footnote ⁷⁸ The measures and behavior required of businesses to fulfill their responsibility to respect human rights should be provided for by each state’s respective national laws and policies in all the various areas in which these laws and policies touch on business activities.Footnote ⁷⁹

Arguably, in many specific cases, such regulation exists and businesses do, to a large extent, respect human rights standards by complying with legal rules. It would be too optimistic, however, to assume that governments and subordinate public authorities always have the ability and the will to regulate business conduct in line with human rights requirements,Footnote ⁸⁰ not least in relatively new policy areas such as online freedom of expression. Moreover, in the case of online service providers, there is an additional layer of responsibility. Not only does the company have responsibilities in relation to its employers and community, it also directly or indirectly affects its users, who in practice might be billions of people.

Historically, controversial cases have involved privacy and freedom of expression in particular, yet with some legal subtleties that distinguish the two rights in question. As Lisl Brunner notes in Chapter 10, the right to privacy has some protection in national legislation (in particular in Europe) in the form of data-protection laws that stipulate principles, procedures, and safeguards that public and private actors must adhere to when collecting and processing personal data.Footnote ⁸¹ In the EU context, for example, Google is subject to the European Data Protection Directive, which imposes conditions and safeguards for data collection, processing, and exchange on public institutions and private companies alike. When Google, as in the Google Spain case, violates a user’s right to privacy, the company is the direct duty bearer under Spanish data protection legislation.Footnote ⁸²

In contrast, Internet platforms are rarely subject to regulation concerning the negative impact they may have on freedom of expression. When content is filtered, blocked, or taken down by Twitter because it allegedly violates the community standards, there is limited guidance in international human rights law, and rarely is there national legislation that applies. In these situations, the company is acting in a judicial capacity, deciding whether to allow content to stay up or to remove it according to internal governance practices and standards, but without the human rights requirements that would apply if Twitter were a state body rather than a private company. For example, if Twitter removes posts for violating its community standards, this does not trigger international human rights law. In contrast, if a state-owned Twitter were to remove content from the public domain, this practice would have to follow the three-part test governing limits on freedom of expression. According to the three-part test, any limitation on the right to freedom of expression must be provided by law that is clear and accessible to everyone; it must pursue one of the purposes set out in Article 19, paragraph 3 of the ICCPR; and it must be proven as necessary and the least restrictive means required to achieve the purported aim.Footnote ⁸³

A related challenge concerns the cases where content is taken down because it allegedly violates national law in the country of operation. As mentioned, Internet services hosted in the United States are insulated from liability under Section 230 of the Communications Decency Act. Concerning copyright infringements, however, Section 512 of the Digital Millennium Copyright Act codifies limited liability, which means that Internet services are required to remove alleged illegal content when notified of its presence on their service, or they will face liability for that content.Footnote ⁸⁴ This is similar to the European approach, which imposes limited liability on online services through the Electronic Commerce Directives. Both regimes have been criticized for encouraging businesses to privately regulate their affairs, with freedom of expression implications.Footnote ⁸⁵ When Facebook, for example, acts upon an alleged copyright violation by removing the content, it is making decisions with freedom of expression implications, yet as a private actor it is not obligated to follow the three-part test prescribed by human rights law. The regimes that insulate online platforms from liability for the third-party content they carry also effectively insulate them from liability when they take down protected content out of fear of liability (e.g., alleged copyright infringement).

In sum, the practices of online platforms (especially macro or authority gatekeepers) have effects on freedom of expression and privacy far beyond their roles as employers and members of a community. Do the power, influence, and capacity to affect democratic life qualify for a special class of public interest companies that invite additional corporate responsibilities beyond the duty to respect human rights?Footnote ⁸⁶ Does it accentuate the positive obligation on the state to legislate the obligations of these companies? Although Ruggie briefly touched upon these issues (with prisons as an example), there is limited guidance in his work as to the answers. In addition, although these companies’ negative impact on privacy is regulated in some regions of the world, their potential negative impact on freedom of expression is not. Neither the United States nor Europe has regulations to protect against the potential negative impact that the content-regulation practices of a major Internet company could have on freedom of expression. Moreover, the human rights responsibilities of Internet companies are largely discussed in relation to illegitimate government requests, as exemplified by the Global Network Initiative, addressed below.

The above challenges are rooted in the gray zone where human rights law ends and corporate social responsibility begins, and it is in this zone that online platforms operate. Their practices may affect human rights immensely, yet they are not regulated with a view to their impact on freedom of expression, freedom of information, or privacy, except in some specific cases. Moreover, even when Internet companies are subjected to regulation, such as on data protection, the past ten years have illustrated the tremendous challenge of holding those companies accountable to these standards. As such, there is a lacuna in checks and balances concerning these private actors. This is paradoxical, since online, these private actors are at the center of the Internet’s democratizing force and exercise significant human rights impacts on their users.

IV The Uptake of Human Rights within Internet Companies

As previously mentioned, most human rights cases related to the ICT sector have concerned freedom of expression and the right to privacy. In December 2008, this led to the launch of the first industry initiative concerned with the human rights compliance of Internet companies, the Global Network Initiative, addressed below. First, however, it should be noted that most major global platforms emphasize freedom of expression as a core element of their business. Facebook’s mission, for example, is framed in the language of freedom of expression and association by its founder, Mark Zuckerberg:

At Twitter, the company vision is closely linked to freedom of expression and the new digital means of realizing this right: “Our legal team’s conceptualization of speech policies and practices emanate[s] straight from the idealism of our founders – that this would be a platform for free expression, a way for people to disseminate their ideas in the modern age. We’re here in some sense to implement that vision.”Footnote ⁸⁸ Google stresses that the company “[has] a bias in favor of people’s right to free expression in everything we do.”Footnote ⁸⁹

The Global Network Initiative (GNI) has, since 2008, been the common venue for some of the major Internet companies’ discourse on human rights norms related to freedom of expression and privacy.Footnote ⁹⁰ The GNI is a multistakeholder group of companies, members of civil society, investors, and academics that was launched in the United States. Formation of the GNI took place against the backdrop of two particular incidents. One was Yahoo’s handover of user information to Chinese authorities, thereby exposing the identity of a Chinese journalist, leading to his arrest and imprisonment. The second was Google’s launch of a censored search engine in China.Footnote ⁹¹

The goal of the GNI is to “protect and advance freedom of expression and privacy in the ICT sector.”Footnote ⁹² At the time of writing, Google, Yahoo, Facebook, Microsoft, and LinkedIn were the Internet company members, whereas seven of the big telecommunication companies – united in the parallel initiative Telecommunications Industry Dialogue – were admitted as members in 2017.Footnote ⁹³ The baseline for GNI’s work consists of four core documents, developed in broad collaboration among the participants: the “Principles,” the “Implementation Guidelines,” the “Accountability, Policy and Learning Framework,” and the “Governance Charter.” The Implementation Guidelines operationalize the overall principles in detailed guidance to companies, whereas the Governance Charter describes how the GNI is governed in order to ensure integrity, accountability, relevance, effectiveness, sustainability, and impact. The Accountability, Policy, and Learning Framework supplements the Governance Charter with more detail on how the work of the GNI is carried out.Footnote ⁹⁴

Since its inception, the GNI has been criticized for lack of participation (including by smaller and non-US companies), for not being independent enough in the assessment process,Footnote ⁹⁵ for the lack of a remedy mechanism, for insufficient focus on privacy by design, and for a lack of accountability.Footnote ⁹⁶ These criticisms speak to the inherent challenge of having an industry define its own standards and procedures for respecting users’ rights to privacy and freedom of expression. Moreover, it has been argued that the protection of users’ rights runs contrary to business interests.Footnote ⁹⁷ In relation to the latter challenge, it is important to note some fundamental differences between the rights in question and the challenges they pose.

Both privacy and freedom of expression protect individual freedoms by setting limits on state (and private actor) intrusion. With privacy, these limits are formulated as principles that guide how and when personal information may be collected, processed, and exchanged with a third party. In relation to data protection, it seems paradoxical to expect that the boundaries for data collection and use will be most effectively protected by companies whose business model is built around harnessing personal data as part of their revenue model. Whereas companies may push back against illegitimate government requests for user data, they are less likely to be a sufficiently critical judge of their own business practices, not least when these are closely linked to their business model.

With freedom of expression, the issue is slightly different. Here, the potential conflict between human rights standards and business practices stems from several factors, more indirectly linked to the revenue model. These factors include: unclear liability regimes that might incentivize the company to remove alleged illegal content without sufficient due process safeguards and that position the company as the final authority regarding which content to remove; pressure from governments to block, filter, or remove content; and internally defined standards regarding content moderation and enforcement of the standards.

As reflected in its baseline documents, the GNI is strongly anchored in the initial narrative of providing guidance to Internet companies in countries where local laws conflict with international human rights standards, rather than the systematic human rights impact assessment suggested by the UNGP. The GNI Principles state:

Similarly, the Implementation Guidelines for Freedom of Expression discuss company practices in relation to “Government Demands, Laws and Regulations”Footnote ⁹⁹ rather than human rights impacts. These principles illustrate that for the GNI, threats to freedom of expression are framed as illegitimate government behavior, and its role is to assist companies with human rights–compliant conduct when confronted with, for example, an overly broad request for filtering or blocking of content.

While industry push-back against illegitimate government requests undoubtedly addresses a relevant human rights problem, it is not sufficient to comply with the responsibilities set out in the UNGP. Those responsibilities require companies to know their actual and potential human rights impacts, to prevent and mitigate abuses, and to address adverse impacts they are involved in. In other words, companies must carry out human rights due diligence across all operations and products. The process of identifying and addressing the human rights impact must include an assessment of all internal procedures and systems, as well as engagement with the users potentially affected by the company practices. It follows that for GNI members such as Yahoo, Facebook, and Google, it is not sufficient to focus on government requests and human rights–compliant practices in this realm. Rather, assessment is needed on the freedom of expression impacts that may flow from all company practices, including, for example, when the company enforces community standards or takes down content based on alleged copyright infringement.

Internet platforms such as Facebook and YouTube influence the boundaries of what users can say and view online via their terms of service. Enforcement of these terms of service must work effectively at a scale of millions of users, including in high-profile controversies such as the “Innocence of Muslims” video,Footnote ¹⁰⁰ as well as in more routine cases where users report objectionable content. In practice, the terms are translated into specific definitions and guidelines that are operationalized by employees and contractors around the world, who “implement the speech jurisprudence”Footnote ¹⁰¹ by making decisions on which content to leave up or remove.Footnote ¹⁰² According to Google, for example, deciding on the limits of freedom of expression for a billion users is “a challenge we face many times every day.”Footnote ¹⁰³ Yet, an intermediary’s terms of service and the means of enforcing those terms are not part of the GNI norms and standards.

A similar challenge is found in relation to privacy. The GNI Principles iterate that

The corresponding section in the Implementation Guidelines addresses “Government Demands, Laws and Regulations” as well as “Data Collection.” The latter is concerned with risk analysis of the specific national jurisdiction in which the company operates.Footnote ¹⁰⁵ In line with its counterpart on freedom of expression, the GNI Principles and the attached Implementation Guidelines focus merely on the negative human rights impact caused by external pressure from governments, whereas internal mechanisms related to data processing and exchange remain unchallenged.

This is unfortunate, given that the business model of online platforms, which is based on targeted advertising, is increasingly accused of promoting privacy violations. On Facebook, for example, advertisements are targeted to individual users’ interests, age, gender, location, and profile. This enables advertisers to select specific groups and target advertisements either on the Facebook website or on other websites using Facebook’s advertising services. This business model has caused a number of privacy-related controversies. Most recently, in 2015, a Belgian research study criticized Facebook’s data-processing practices and concluded, in relation to Facebook’s social media plug-ins, that it processes the personal data of its users as well as the data of all Internet users who come into contact with Facebook, without the necessary consent for “tracking and tracing” or consent for the use of cookies.Footnote ¹⁰⁶ As a follow-up to the study, the Belgian Privacy Commissioner issued a set of recommendations to Facebook.Footnote ¹⁰⁷ This is just one example of how Internet platforms can impact the privacy of their users due to their online business model rather than government pressure. Yet, these aspects of company practice in relation to privacy are not included in the GNI norms and standards.

In sum, several of the major Internet companies frame their core mission in terms of freedom of expression and engage in industry networks such as the GNI that are dedicated to protecting human rights norms and standards in the online domain. Yet, the effectiveness of the GNI to protect human rights is challenged by several factors. First, it is based on a voluntary commitment, with no binding obligations on companies. Second, it is largely occupied with limiting and safeguarding against undue government pressure on companies, whereas content regulation and user tracking and profiling are not covered, despite their potential human rights impact.

V Challenges to Human Rights Protection in a Privatized Online Domain

In this final section, I will discuss whether the frameworks that currently govern the activities of online platforms are sufficient to provide the standards and mechanisms needed to protect and respect human rights online, drawing on the challenges outlined in the previous section.

A first challenge relates to the circumstance that core civil and political rights (privacy, freedom to search for information, freedom to express opinion) are exercised within a commercial domain, with companies holding unprecedented power over the boundaries and conditions for exercising those rights. Arguably, some of the most widely used platforms and services may affect public and private life in a way traditionally reserved for public authorities, yet they are largely free from binding standards to protect freedom of expression and privacy. Whereas this governance gap may have a positive impact on rights and freedoms in a state-repressive context, it does not take away the challenges that this raises within democratic societies. Companies that have a substantial impact on the environment are increasingly subjected to national regulations for business conduct, yet similar attention has not been paid to online platforms. Scholarship is only now beginning to address the broader societal implications of private ownership of the online infrastructure of search, expression, and debate that results in the double logic of user empowerment and commodification of online activity.Footnote ¹⁰⁸

Human rights law is state-centric in nature and holds no direct human rights obligations for private actors. The governance gap accompanying globalization was a core driver for the development of the UNGP, and therefore for asserting the corporate responsibility to respect human rights as a freestanding, universally applicable minimum standard of business conduct – one driven by global social expectation while at the same time based on international law.Footnote ¹⁰⁹ Nonetheless, the soft law framework of the UNGP, however widely endorsed, remains voluntary by nature, as do industry initiatives such as the GNI.

Further, even these soft law frameworks have significant gaps. In 2016, the five GNI member companies were positively assessed by GNI-appointed assessors for compliance with GNI norms and standards.Footnote ¹¹⁰ There are, however, several shortcomings to this assessment process. First, it does not entail a comprehensive human rights impact assessment of all business practices as prescribed by the UNGP, but instead focuses more narrowly on the issues that the GNI members have chosen to include in their development of norms and standards. This means that push-back strategies against illegitimate government requests are the focus of assessment, whereas the impact of business processes concerned with taking down content that does not adhere to internally defined business standards is not considered. Second, the terms and conditions of the assessment process (including the selection of assessors) are carried out within the circuit of the GNI, providing the companies subject to review with influence on the baseline for this review.

Another human rights weakness in these soft law frameworks concerns the limited access to remedy mechanisms. As emphasized by the third pillar of the UNGP, states must take appropriate steps to ensure access to an effective remedy when business-related human rights abuses occur within their jurisdiction. Despite the impact that online platforms have on users’ rights of expression and privacy, limited channels exist for users to address potential or actual infringements of such rights.Footnote ¹¹¹ In sum, given the impact that these companies potentially have on human rights in terms of scope and volume, the voluntary approach seems insufficient to provide the billions of Internet users with the level of protection they are entitled to according to international human rights law.

This brings us to the second challenge, namely, whether the state has a positive obligation to legislate the obligations of these companies. Does the character of major online platforms call upon states to provide human rights guidance and possible regulation of these actors? Until now, neither the United States nor Europe has taken up this challenge. In April 2016, the European Union concluded a four-year-long comprehensive data protection reform, including, among other things, increased focus on the practices of online platforms.Footnote ¹¹² Yet while online platforms’ negative impact on privacy has received some attention, their impact on freedom of expression has not. As such, there is no national regulation to protect against the potential negative impact that a major Internet platform may have on freedom of expression. As previously mentioned, in the United States, the First Amendment and the public forum doctrine protect expressions in the public domain, but on the Internet, private companies in control of communicative platforms are free to decide the types of speech they support. This includes taking down or blocking and filtering expression that would otherwise be protected by the First Amendment. In consequence, expression is less protected in the online domain, despite the wide opportunities online platforms provide for new means of realizing freedom of expression. Likewise, in the United States, there is no general data protection regulation covering these private actors, and thus no clear boundaries for the companies’ handling of personal data.

However urgent, several factors indicate that a solution will not be forthcoming in this area any time soon. The transnational nature of online platforms makes it difficult for states to address their impact on freedom of expression or privacy domestically. Moreover, up till now, the United States and European states have been unable to agree on the scope of freedom of expression, for example concerning protected speech, and they have lacked a common standard for data protection. Whereas the European approach is geared toward both negative and positive state obligations in the area of freedom of expression and privacy (e.g., imposing regulations on private actors), the US approach has focused on the negative state obligation to avoid interference. While the issues raised have received some scholarly attention, they have not surfaced as prominent policy issues in either Washington or Brussels. As such, it is not realistic to expect common US/EU policy for the major online platforms in the foreseeable future.

If European states were willing to invoke their positive state obligation in order to protect freedom of expression online, they would have to apply national standards for protected speech to the online domain. In consequence, Internet platforms would have to comply with a number of different standards for protected speech, depending on the location of their users. Although this would most likely cause controversy and resistance from the companies, it is in principle no different from the current situation, in which platforms adhere to different regimes for unlawful content depending on the national context in which they operate. In other words, while both Facebook and Google have processes for dealing with alleged unlawful content in a specific national jurisdiction, they might also have processes for ensuring that no content is taken down unless it satisfies the criteria set out in human rights law. Such a mechanism would ensure that the companies’ commitment to freedom of expression is operationalized not only in relation to government pressure, but also in relation to the day-to-day practices that govern their communities of users.

In conclusion, divergence in the US and European approaches to privacy and freedom of expression, as well as the complexity of defining legal responsibilities in the face of conflicting local laws, means that a concerted state effort in this field is unlikely. Yet authoritative human rights guidance for the major online platforms is urgently needed in order to clarify the scope of their responsibilities and, more importantly, to ensure that their impact on billions of users’ rights is mitigated and potential violations are remedied.

I Introduction

Since 2013, perhaps no human rights issue has received as much sustained attention as the right to privacy. That was the year the first Snowden revelations reached the public, detailing sophisticated, large-scale US government surveillance programs designed to capture or analyze incredibly large volumes of digital data. In the weeks and months that followed, media reports confirmed that the US government had, at various recent points, run programs designed to scan and harvest data contained in e-mails, track Internet browsing activity, collect data from cell phones, collect digital contact lists (including e-mail and instant messaging contacts), and collect photographs of Internet users all over the world.Footnote ¹ Other governments have been revealed to engage in similar practices.Footnote ²

Targeting the use of digital technologies is an obviously fruitful approach for state surveillance programs. By the middle of 2016, one estimate placed worldwide Internet use at more than 3.5 billion people.Footnote ³ Cell phone use is even more widespread, with recent reports suggesting the world is approaching five billion mobile users.Footnote ⁴ Significant numbers of people also use other technologies conducive to tracking, such as E-ZPass or Global Positioning System (GPS) devices. Those numbers are likely to increase in the coming years, which is particularly significant because of the way in which digital technologies lend themselves to insecure use and mass surveillance.

The ongoing global conversation about the legality of surveillance practices has focused on a number of dimensions of the human right to privacy, but there has been little serious discussion of a major factor in the expansion of the insecure use of digital technologies: the user. A significant portion of the information collected by surveillance (or otherwise made vulnerable to unintended recipients) is exposed voluntarily, sometimes deliberately or knowingly, or with unjustified ignorance of the risks of transmitting it in a particular manner. This chapter argues that, as human rights bodies, governments, and advocacy groups seek to understand the protections provided by the human right to privacy, it is also essential to clarify the conditions (if any) under which a person may waive those protections. The purpose of this chapter is therefore to help launch a conversation about waiving the human right to privacy and the role of the state in fostering the ability of individuals to make better choices in protecting their privacy.Footnote ⁵

II Individual Choice and the Human Right to Privacy

The Snowden revelations have triggered increased engagement on the right to privacy among civil society organizations,Footnote ⁶ multiple votes within the United Nations General Assembly,Footnote ⁷ research by the United Nations High Commissioner for Human Rights,Footnote ⁸ and the establishment of a new special rapporteur on privacy by the Human Rights Council.Footnote ⁹ Pressure is also building on the Human Rights Committee to update its interpretation of the right to privacy under the International Covenant on Civil and Political Rights (ICCPR), primarily to account for changes in circumstances and technological developments that render its previous interpretation from the 1980s practically obsolete.Footnote ¹⁰

This flurry of activity has largely left aside the relevance of individual users and the choices they make in the storage and transmission of their private information. Consider the state of the debate about US human rights obligations related to privacy – obligations that have occupied center stage since media outlets began publishing the Snowden revelations. Although a number of international agreements address the right to privacy,Footnote ¹¹ a primary source of human rights obligations for the United States is the ICCPR, to which the United States has been a party since 1992. Article 17 of the ICCPR stipulates that “[n]o one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence … [and e]veryone has the right to the protection of the law against such interference.”Footnote ¹² Additional articles in the covenant inform the scope and rigidity of individual rights, such as by addressing the geographic range of state duties under the covenant or the conditions under which a right might be limited or outweighed by other considerations (such as protecting national security).

The ICCPR does not explicitly address the role of individual choice in connection with the right to privacy,Footnote ¹³ which means choice has not factored much into a debate that has largely followed the text of the covenant. For example, a significant dispute has arisen about the meaning of the covenant’s ban on “arbitrary” and “unlawful” interference with protected privacy interests.Footnote ¹⁴ Multiple UN rights experts have recently concluded that non-arbitrariness requires states, inter alia, to ensure the necessity of interferences with the right to privacy and the proportionality of their invasive practices.Footnote ¹⁵ Such requirements are intended to ensure the continued relevance of the human right to privacy in the digital era and would, in theory, provide a check on large-scale surveillance of the sort revealed by Snowden.Footnote ¹⁶ Thus far, however, the United States has rejected requirements like necessity and proportionality, arguing that those standards do not necessarily follow from a ban on arbitrary and unlawful interference.Footnote ¹⁷ Instead, the United States insists that its programs need only be (and consistently are) “reasonable” because they are authorized by law and not arbitrary.Footnote ¹⁸

Another dispute concerns the geographic scope of state duties under the covenant. Article 2(1) provides that “[e]ach State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant.”Footnote ¹⁹ The United States typically interprets the phrase “within its territory and subject to its jurisdiction” conjunctively, such that it only accepts duties under the covenant toward people of whom both modifiers are true.Footnote ²⁰ Key human rights bodies, including the Human Rights Committee (the UN body tasked with interpreting the ICCPR), have rejected that reading and interpret the phrase disjunctively.Footnote ²¹ This disagreement has garnered increased attention as a result of US surveillance revelations, because the narrower position turns would-be beneficiaries of human rights protection into unprotected targets of surveillance.

Yet another dimension of the ongoing debate about the human right to privacy concerns the limitations clauses built into the ICCPR. The United States has emphasized that it takes a broad reading of those limitations – especially the national security limitation articulated in, among other places, Articles 19, 21, and 22.Footnote ²² The US government routinely cites national security considerations to justify practices of concern to human rights bodies, including surveillance.Footnote ²³ The implications of that approach are far-reaching in light of the ongoing War on Terror, which lacks any obvious or imminent endpoint.

Overall, the contours of this debate are unsurprising; the language of the covenant is a natural focal point for states and human rights bodies alike, and their disagreements, in turn, frame the contributions of interested advocacy groups. But the issue of personal choice casts a shadow over all such textual analysis. It is surely uncontroversial that one can, at least sometimes, waive privacy protection for particular pieces of information by exposing them to collection.Footnote ²⁴ It should also be uncontroversial that some digital information, even if it can be obtained by intelligence agencies or hackers, remains protected by the human right to privacy. Yet through the insecure use of digital technologies, people increasingly expose enormous swaths of protected information with unclear levels of intentionality and culpability – even as the covenant remains silent on waiver generally and the ongoing debates about the human right to privacy fail to provide much clarity. The conditions under which one waives legal privacy protections are therefore both extremely important and extremely unclear.

Vulnerability can be chosen, such as when people share private information in public fora (like public websites). It can be recklessly or negligently assumed, such as when people undertake to store or transmit personal information in insecure ways (whether knowingly or because they lack a reasonable appreciation for the risk). It can arise through no fault of a user when it results from justifiable ignorance on the user’s part. And it can be imposed by circumstance in spite of a user’s best efforts, such as by the mere fact that surveillance authorities and hackers around the world typically have more power to harvest information than even the most committed individuals have to protect it. Any reasonable understanding of the waiver of the right to privacy must account for different notches on this spectrum.Footnote ²⁵

For simplicity, we might assume that posting private information – say, political leanings and hobbies – on a public Facebook page constitutes some sort of waiver of privacy protection for that information, meaning that such information would fall outside the scope of the protections contained in Article 17. But what about intermediate cases that expose us to broader-than-intended intrusions, such as posting the same information on a semipublic Facebook page that is set to restrict access only to approved “friends”? Or sending sensitive information via unencrypted e-mail to a single recipient? Or running a sensitive Google search from a personal computer alone in one’s home? Or carrying a cell phone that could just as well connect to a stingray as a cell phone tower? Or attempting to send an encrypted message but accidentally sending the message unencrypted?

These examples underscore a complicating underlying factor: Even when we want to protect our privacy, we are often fundamentally incapable of employing digital technology securely, whether due to ignorance, lack of skill, or inherent limitations in the technology itself. Yet we constantly use such technology anyway. Consider the example of the United States, which in some ways is a particularly risky place for such a casual approach to technology. Not only does the United States aggressively gather as much data as it can through perhaps the most powerful surveillance apparatus in the world, but it also features some problematic legal precedents for privacy under domestic law.

A string of Supreme Court cases has established the legal principle that voluntary disclosure of information to third parties eliminates one’s expectation of privacy for that information, thereby defeating constitutional privacy protections that would require law enforcement to get a warrant for it.Footnote ²⁶ In several cases decided between 1952 and 1971, the court consistently held that the Fourth Amendment prohibition on unreasonable search and seizure does not apply to the contents of a person’s utterances that are voluntarily communicated to a government agent or informant.Footnote ²⁷ A second series of cases, decided between 1973 and 1980, extended that rule to business records that are provided to a third party. For example, in United States v. Miller, the Supreme Court ruled that there is no reasonable expectation of privacy in checks and deposit slips provided to banks, as those are “negotiable instruments” rather than “confidential communications” and the data they contain are “voluntarily conveyed” to the banks.Footnote ²⁸ In Smith v. Maryland, the Court reinforced its earlier holdings as applied to records of phone calls placed by a criminal suspect. The Court held that, because dialing numbers from one’s phone involves providing those numbers to the phone company, the police can collect records of those calls, without a warrant, through the use of a pen register installed on the telephone company’s (rather than the suspect’s) property.Footnote ²⁹

In one sense, each of these rulings was quite narrow. The first cluster addressed a criminal defendant’s communications with a government agent or informant, Miller concerned checks and deposit slips provided to a bank, and Smith addressed the right of a criminal suspect to assert Fourth Amendment protection for the numbers he dials from his home phone. Yet in all of these cases, the Court held that constitutional privacy protections under the Fourth Amendment to the US Constitution simply did not apply, at least in part because the parties asserting their rights had voluntarily disclosed the information in question to a third party. The cases are thus suggestive of a rule that extends to many other contexts.

As many have noted,Footnote ³⁰ the underlying rule – sometimes referred to as the “third-party doctrine”Footnote ³¹ – has sweeping implications in the current era. Most people now turn over a significant and growing proportion of their private information to third-party service providers. E-mail providers like Google rather notoriously scan the text of our messages for key words so they can tailor their advertising to matters of interest to specific users. The specific websites we visit are recorded by Internet service providers (ISPs).Footnote ³² And, just like in Mr. Smith’s case, significant information about our phone activity – now including text messages as well as calls – passes through the hands of our phone service providers.

In fairness, there is a question as to whether the third-party doctrine would extend to the content of communications (rather than metadata) passing through the hands of a service provider.Footnote ³³ The phone numbers in Smith are considered metadata, and it is debatable whether the monetary values on checks and deposit slips from Miller count as content.Footnote ³⁴ The first series of cases discussed above concerned content, but that content was conveyed (sometimes unknowingly) to a government agent or informant rather than through a third-party service provider. One might attempt to distinguish these cases, as Orin Kerr has done, carving out Fourth Amendment protection for content but not metadata.Footnote ³⁵ Others, like Greg Nojeim, argue that metadata can be sensitive enough to warrant Fourth Amendment protection on its own, even if precedent does not necessarily support that view.Footnote ³⁶ There is no clear consensus on the matter in US courts, although the holding in Smith could arguably reach content, because the court does not explicitly distinguish between content and metadata: ”[T]his Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”Footnote ³⁷ And although Justice Sonia Sotomayor has questioned the third-party doctrine precisely for its implications at a time when so much of our daily activity involves third parties,Footnote ³⁸ it remains unclear how US courts will continue to apply the doctrine.

In light of what appear to be tangible legal risks, not to mention the practical likelihood that various state intelligence agencies and others are likely to obtain nontrivial proportions of our digital data, it is therefore worth inquiring how deliberately and culpably people appear to store and transmit so much sensitive information insecurely.

III The Voluntariness of Insecure Use of Technology

It is impossible to deny that cell phones and the Internet are convenient for managing private matters, and many of us sometimes elect to use them when we know (or should know) that it is insecure to do so. But in light of the possible implications for waiving the human right to privacy, it is important to recognize that the use of digital technologies is often less voluntary than might appear at first glance. While there is obviously some element of choice in when and how people adopt technologies, there is a large measure of compulsion as well. Many employers assign e-mail addresses to employees, the use of which is more or less mandatory. Certain employers also issue smartphones to remain in better contact with their employees, or to enable employees to remain in better contact with clients. Universities often require students to use online systems to access course materials and other important information. Indeed, online research has become all but unavoidable for a number of jobs and scholarly endeavors. For many people, unplugging is not even a meaningful possibility.

There are also broader practical concerns that raise questions about the voluntariness of much Internet and phone use. The obvious utility of cell phones can make it prohibitive to eschew them. For example, cell phones are unparalleled as a parenting tool for remaining in contact with one’s children. Even for those who can do without a cell phone, the choice to do so can impose substantial costs. Moreover, increasing cell phone use has correlated with a dramatic decline in the installation and maintenance of pay phones, making it ever more impractical to hold out for privacy reasons.Footnote ³⁹

Similarly, refusing to use the Internet may ultimately foreclose access to a range of substantive goods.Footnote ⁴⁰ Remaining in touch with others is just one example. For those of limited means, long-distance communication without the Internet is especially difficult, as phone calls can be expensive and postal mail is slow. But instant messaging and voice-over-IP services (like Skype) permit free communication with other users all over the world. Similarly, staying up to date on current events, managing one’s finances, and planning travel – not to mention applying for food assistance or other government benefits – are all increasingly difficult without the Internet, as companies and governments have scaled back support for non-Internet-based interaction. Resisting new technologies can be so costly that it hardly resembles a genuine choice.Footnote ⁴¹

Moreover, there is good reason to conclude that many users of digital technologies simply fail to appreciate their vulnerability, rather than knowingly assuming that vulnerability.Footnote ⁴² People routinely surrender sensitive or damaging personal information to third parties that cannot safeguard it properly, as evidenced (for example) by recent hacks of Sony, Target, Yahoo, and the Ashley Madison website.Footnote ⁴³ The Ashley Madison hack, for instance, exposed the identities of many people who had used the site to set up extramarital affairs. Some of those people were seriously harmed by the revelation, including employees of the US federal government who used their official work e-mail addresses to set up accounts.Footnote ⁴⁴ It is implausible that most of these people were indifferent to publication of their private information, and much more likely that they did not fully appreciate their vulnerability.

Further, many of those who recognize the privacy threats posed to electronic communication have limited resources and expertise to address the problem. For those who are not adroit with technology, it can be intimidating to pick among the options and get comfortable using the proper tools as a matter of course. Unsurprisingly, there are also conflicting opinions about the efficacy of various measures, and those who lack a technical background are not well placed to make a confident choice.

Security can also be both expensive and slow; at minimum, as one particularly tech-savvy individual put it, proper security measures can impose a significant tax on one’s time.Footnote ⁴⁵ Moreover, even those measures that are inexpensive and simple to use may be ineffective without buy-in from one’s correspondents. For example, free, easy-to-use software is available for encrypting chats, text messages, and phone calls,Footnote ⁴⁶ but encryption is pointless unless all parties to a communication are willing to use it. And the typical user also has no power whatsoever to improve the security of some of the systems many of us are obligated to use, such as e-mail provided by an employer.

Lacking the time, knowledge, power, and sometimes money necessary to invest heavily in data security, the average person finds himself trapped between two imperfect options: risk the insecurity that comes with the use of ubiquitous and convenient technologies, or forego some of the most efficient tools available for conducting personal or professional business. And, often enough, the world – whether through our employers, our schools, or the demands of our personal lives – picks the first option for us.

Even parties with significant resources strain to maintain security – not necessarily because they are careless or sloppy, but rather because digital data can be vulnerable to collection by any number of actors, and because it can be exceedingly difficult to understand the nature of those vulnerabilities and to institute adequate protections. The US intelligence community, for instance, has failed repeatedly at protecting highly classified information from both whistleblowers and hackers.Footnote ⁴⁷ It is not surprising, therefore, that sophisticated individuals struggle as well. I previously did research on surveillance for Human Rights Watch (HRW) and the American Civil Liberties Union (ACLU), for which I interviewed (among other people) nearly fifty journalists covering intelligence, national security, and law enforcement.Footnote ⁴⁸ Those journalists have an overriding interest in protecting both the identities of their sources and the contents of their conversations. First and foremost, that interest arises from a general feeling of obligation to shield the identities of those who provide them with information. As a practical matter, the journalists also recognize that failure to protect sources effectively could compromise their ability to develop other sources in the future.

Many of the people I spoke with worked for major outlets, like The New York Times, The Wall Street Journal, The Washington Post, NPR, and ABC News.Footnote ⁴⁹ Most also had years, even decades, of experience reporting on sensitive subjects, and a number had already won Pulitzer Prizes. As journalists go, therefore, the group I interviewed was elite in both their level of skill and their access to institutional support for the proper tools of the trade. All of that notwithstanding, these journalists consistently and vividly relayed to me significant ongoing challenges in using digital technologies securely.Footnote ⁵⁰ Nearly all of them told me that the most secure method of doing their work involved avoiding technology as much as possible – meeting sources face-to-face while leaving cell phones at the office, or saving notes in hard copy rather than electronically.

Yet “going dark” by avoiding electronic devices significantly impeded their work, could still draw scrutiny, and was sometimes impossible.Footnote ⁵¹ To the extent that use of digital technologies is unavoidable, many of the journalists reported upgrading their security. For example, a number described learning how to use Tor, how to encrypt e-mails, chats, and texts, and how to purchase and set up air-gapped computers.Footnote ⁵² Some benefitted from data security training run by their outlets. Others with less institutional support described improvising new security measures, sometimes attempting to hide digital trails using methods that were in fact ineffective. One described sharing an e-mail account with a source and exchanging messages via saved, but unsent, drafts. That was the same technique David Petraeus reportedly used, unsuccessfully, in attempting to communicate secretly with his mistress.Footnote ⁵³ Whether the journalists benefitted from professional security training or not, they were uniformly skeptical that it was even possible to be entirely secure in one’s use of digital technologies. Interviewees commonly expressed the feeling that, when facing off against an adversary as powerful as the National Security Agency, the best one could hope to do is “raise the cost of surveillance.”Footnote ⁵⁴

I found similar results from speaking to attorneys,Footnote ⁵⁵ whose interests in digital security stem from, among other things, their professional responsibility to safeguard confidential client information.Footnote ⁵⁶ I interviewed more than forty attorneys, most of them working on matters of potential interest to the US government, such as criminal defense in the national security context. Just as the journalists expressed significant concerns about managing their relationships with sources, the attorneys largely worried about managing their relationships with clients. Some found that merely warning their clients against using phones and e-mail made the clients increasingly mistrustful and hampered their ability to develop a relationship. And, like the journalists, a number of the lawyers expressed the belief that speaking face-to-face is now essential, notwithstanding the costs and time constraints associated with doing so.

It is noteworthy that these journalists and attorneys – educated, fairly well-resourced people with an unusually high interest in protecting the privacy of some of their interactions – have to wrestle so mightily with the issue of data security. Indeed, merely planning this research required a surprising amount of thought within HRW and the ACLU. I needed a way to reach out to my subjects electronically concerning sensitive matters, and a way to convey to them my competence in protecting any data they might provide. That was a difficult goal to achieve, especially because so much of security turns on the measures taken by one’s correspondents. Like many of my research subjects, I therefore had to work with the institutions backing me to develop security protocols that were affordable and practical under the circumstances. Notwithstanding the assistance I had, the process involved some measure of trial and at least one embarrassing security error on my part. In short, true digital security is incredibly difficult or perhaps even impossible to attain – a point that cannot be lost in attempting to understand the relationship between the use of digital technologies and the waiver of the human right to privacy.

IV Drawing Some Conclusions

A modern understanding of the human right to privacy must contend with these questions, and the purpose of this chapter is to highlight the need for an extended conversation about the issue of waiver, especially among human rights authorities.Footnote ⁵⁷ This section offers some preliminary conclusions about the conditions under which a technology user’s actions might constitute a waiver of his or her privacy protections under Article 17 of the ICCPR, and the duties of the governments that are parties to the ICCPR to support the choices of individuals who take measures to secure their digital data. Per the Vienna Convention on the Law of Treaties, “[a] treaty shall be interpreted in good faith in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in the light of its object and purpose.”Footnote ⁵⁸ When that approach alone “[l]eaves the [treaty’s] meaning ambiguous or obscure,” or “[l]eads to a result which is manifestly absurd or unreasonable,” then “[r]ecourse may be had to supplementary means of interpretation, including the preparatory work of the treaty and the circumstances of its conclusion.”Footnote ⁵⁹ Application of these principles often permits and may at times require that a state’s treaty obligations evolve with changing circumstances. As Eirik Bjorge has recently put it, “The wording [of a treaty] is important because it may lead us to ascertaining the intention of the parties, not because it is somehow an end in and of itself.”Footnote ⁶⁰ An evolutionary reading of a treaty may therefore “be required by good faith.”Footnote ⁶¹ For the reasons laid out below, the right to privacy reveals that the ICCPR is precisely the sort of treaty that requires an evolutionary reading.

V Conclusion

This chapter advocates for a serious conversation about waiving the human right to privacy. Many other elements of the right are appropriately on the table already, being dissected, debated, reinterpreted, and applied to novel circumstances. All essential questions about the right to privacy should be folded into that discussion. Privacy issues will only grow more significant as digital technologies and the surveillance programs that track them become more sophisticated and ubiquitous. It is important that we get these issues right, and now is the time to ensure that we do.

It bears emphasizing that a universally accepted standard for waiving the human right to privacy may prove to be elusive, especially given that states like the United States may contribute to the debate by drawing on excessively broad standards from their own domestic legal precedents. Moreover, an acceptable standard may prove to be challenging to implement in any event, and its creation would in no way diminish the importance of questions already being addressed, such as the definitions of the terms in Article 17 or the proper limitations on the right. Nevertheless, waiver has broad implications for the legality of common state practices; the persistence of questions about its application only sows doubt where clarity is essential.

I Introduction

Technology has been extraordinarily effective in reducing distances between people and places, but it has created an increasing distance between the present and the future. The rates of new product introduction and adoption are speeding up. It took forty-six years for electricity to reach 25 percent of the US population. The same milestone took thirty-five years for the telephone and only seven for the Internet. For most of us, it is increasingly difficult to understand or anticipate long-term technological trends. It is common, especially in the context of human rights practice, that such inability stokes fears of a dystopian future in which ordinary people, especially those already marginalized or disenfranchised, become subjugated by technology rather than benefiting from it. This chapter is both an attempt to help practitioners cope with new technologies and a proposal to incorporate solidarity as the driving force for technology transfer.

It has become cliché to say that technology and its impact on society advance at a rapid pace. It is also commonplace to say that societies and legal frameworks have a hard time adapting to technology’s pace and the behavioral changes it demands. But adaptation is a valuable goal, because there is no livable future without it. The human rights movement has taken note and, both systematically and spontaneously, looked for ways to adapt to the transformative era of the information society. Today, human rights campaigns rely heavily on social media and e-mail. The presentation of research results in courts, political offices, and public spaces commonly incorporates data visualization. Fact-finding practices often include the use of remote sensing and open source intelligence. Further, human rights research increasingly relies on computational analysis. Encrypted communications, and the tools and services that provide them, are now considered fundamental to the safety of human rights practitioners and their partners in the community. These are signs that, as the contributors to this volume remind us, the future of human rights will be intertwined with the advancement of technology.

The pace of technological change is unlikely to slow, and its relevance for human rights practice is unlikely to diminish. There is a valuable body of work, created over the past few decades, that focuses attention on the impact of technology on human rights. The lessons that we can extract from that literature will enrich our design for the future as well as our ability to evaluate the present.Footnote ¹ Yet, as Molly Land and Jay Aronson point out in Chapter 1, the field of human rights technology is significantly undertheorized. I would add that the relationship between practice and theory has garnered even less attention. The contributors to this volume have gone a long way to redressing the first issue, especially with respect to human rights law. If we are to solve the second challenge, however, practitioners must help frame the debate in this interdisciplinary field. Doing so is essential to the advancement of effective human rights practice.

II Where Does the Future Begin?

Over the past ten years, the notion of human rights technology as an area of practice has garnered attention across disciplines. The growing use of the term “human rights technology” signals the interest of technical, scientific, and practitioner communities in advancing it as a field of practice. An important example, and one of the likely origins of this multidisciplinary interest, occurred in 2009, when the Human Rights Center at the University of California, Berkeley called for “leading thinkers, civil society members, activists, programmers, and entrepreneurs to imagine, discover, share, solve, connect, and act together.” This invitation materialized as an international conference, “The Soul of the New Machine: Human Rights, Technology & New Media,”Footnote ² held in May 2009, and a follow-up conference, “Advancing the New Machine: A Conference on Human Rights and Technology,”Footnote ³ held in 2011, both in Berkeley. A diverse mix of academics, practitioners, and technologists attended those events, which launched a constructive debate about the uses of technology for human rights practice.

Since then, a growing number of efforts to create dialogue, promote debate, and engage technologists with rights defenders have emerged across the globe. Strategic donors to the human rights movement, like the MacArthur Foundation, the Ford Foundation, the Oak Foundation, Humanity United, and the Open Society Foundations, amplified these efforts. These foundations adapted their portfolios to help create the human rights technology field. Governments have also played a role, as can be seen in the programming of the Bureau of Democracy, Human Rights, and Labor at the US State Department,Footnote ⁴ the Open Technology FundFootnote ⁵ of Radio Free Asia (an initiative of the US Broadcasting Board of Governors), and the Swedish International Development Agency.Footnote ⁶

By now, there are dozens of international, regional, and national conferences and workshops each year that include debates on the use of technology for human rights.Footnote ⁷ Many organizations, like Benetech, HURIDOCS, and eQualit.ie, have carved a niche providing specialized technology and support to human rights practitioners. The growing interest can also be seen in the appearance of specialized and globally distributed communities of practice around issues of technology and human rights, such as the Internet Freedom Festival,Footnote ⁸ held yearly in Valencia, Spain, since 2015. This interest in technology has also reached traditional international actors like Amnesty International and Human Rights Watch, which have pioneered specialized programs within their organizations to address their remote sensing, data analysis, and digital security needs.Footnote ⁹ These examples are evidence of the growing and vibrant ecosystem interested in applying technology to solve human rights problems.

In order to frame how we think about the future of this field, it is essential to be aware of our own geopolitical and cultural positions. Human rights technology has not escaped some of the persistent problems that have faced the broader human rights movement. The most obvious, perhaps, has been the tendency to consolidate power in the economic capitals of the twenty-first century, geographically removed from most human rights crises. This can be acutely felt in the realm of technology, where investment in infrastructure can be too costly for grassroots organizations in the Global South. Current models of technology transfer reflect a unidirectional relationship, where technology is largely decided, designed, and created far away from the majority of people who need it. As Dalindyebo Shabalala reminds us in Chapter 3, funding and enforcement mechanisms for providing access to technology remain a challenge for effective technology transfer in international cooperation for adaptation to climate change.

For human rights practice – understood as fact-finding, advocacy, and litigation toward accountability, transparency, and justice – the fundamental problems with technology transfer are not limited to funding, but also include decision-making and design. Most technology is designed in places like the United States and the United Kingdom for practitioners and activists in the Global South, but generally without their involvement or input. A concerning example of this can be seen in Google’s Jigsaw project. Previously known as Google Ideas, it was re-launched in 2016 with the goal of “investing in and building technology to expand access to information for the world’s most vulnerable populations.”Footnote ¹⁰ Although this project may have been created in part out of genuine and bona fide good intentions, it is in reality an example of the kind of power-consolidating technology transfer that could harm the development of a sustainable and fair human rights technology ecosystem. As the technology law and policy scholar Julia Powles argues, human development and human rights are too complex and too culturally diverse to be addressed by profit-driven companies acting on their own initiative.Footnote ¹¹ More to the point, as Rikke Frank Jørgensen points out in Chapter 11, the debate on binding human rights obligations upon companies has been ongoing for more than two decades, and the private sector has continued to be largely resistant to human rights frameworks.

The effect of this type of model – in which technology is designed for, but not with, practitioners – is twofold. First, it makes it more likely that a given technological “solution” will address a false dilemma, because there is little consideration of the context in which a particular technology will be deployed, what it may be displacing, and what social or cultural practices it may be enhancing or altering. Understanding the cultural impact of technology transfer is paramount, as technology is by nature disruptive. It would be naive, and potentially detrimental to the advancement of human rights, to think that the effects can be controlled and isolated to a particular issue. Designing technology without the stakeholders at the table could also mean a lost opportunity to learn from other approaches to problem solving, thus limiting the types of solutions that can be imagined.

Second, this model can lead to investments that are unsustainable on the ground. The yearly budget for a software developer in the Global North may be equivalent, for example, to the annual budget of a small organization that provides direct support to hundreds of migrants at the border between Mexico and Guatemala. Should we create expensive technology in their name from our comfortable seats in London, New York, or Palo Alto? Or should we bring them to the table to design a sustainable solution that recognizes their agency and goals? Should we even rely on for-profit companies to tackle complex geopolitical and cultural issues of global significance? Or should we create an open and distributed ecosystem that acts in the public interest?

When we think of the future, we must keep the sustainability of the human rights movement front and center. We need to guard against technology transfer creating dependence, exporting inequalities, or promoting a paternalistic relation between technology providers and human rights practitioners. The current approach to technology is instead largely based on the model of international cooperation for development, which Shabalala shows in Chapter 3 to be deficient on many levels. While his analysis focuses on new frameworks for organizing technology transfer at the government level, I wish to focus on efforts within the human rights community itself. In human rights practice, we can create better conditions for technology to effectively advance accountability, transparency, and justice if we move away from a technocratic approach and embrace the idea of transnational solidarity. International aid, like charity, is based on an asymmetrical relationship between a party in need and another party with resources or knowledge to share.Footnote ¹² Relationships of that nature are prone to creating clientelism, dependency, and unidirectional knowledge transfer. A core motivation of this chapter is to suggest a solidarity-based framework as an alternative approach to technology transfer. A first step in that direction is for practitioners to educate themselves about the technology that will be the subject of that transfer.

III What Is Human Rights Technology?

Human rights practitioners frequently work in under-resourced, high-pressure environments. They tend to use opportunistic and adaptive approaches to problem solving. Because of the financial constraints that most human rights practitioners face, few technologies have been developed specifically for human rights practice. Instead, practitioners have adapted the majority of tools they use in the field from existing technologies. There are a small number of exceptions, composed largely of software projects around information management or communications. This includes projects like MartusFootnote ¹³ and OpenEvsys,Footnote ¹⁴ which were created specifically for human rights documentation, and privacy-enhancing mobile apps like those created by the Guardian Project. It also includes projects like PGP encryption and the Tor Internet browser, which were created by forward-thinking individuals who understood very early on in the information era that privacy and anonymity were instrumental to human rights.

Beyond these examples, the vast majority of technologies used in human rights practice are based on creative or opportunistic adaptations of general-purpose technologies. Today, practitioners rely on WhatsApp and Telegram to communicate with their peers or the subjects of their work; WordPress or Drupal to promote their ideas; Dropbox or Google Drive to manage their files; Google Apps or G Suite to collaborate on documents; and Skype to engage in meetings and interviews.

A significant difference between the few examples of purpose-built human rights technology and the general-purpose technology adopted and adapted by practitioners is the nature of the software behind them. Those solutions that have been created for human rights-specific purposes are largely open source. This means that the developers made the code they used to build the technology publicly available for anyone to review and tinker with. The only requirement for those who make changes or additions to open source software is that they, in turn, allow others to freely use and modify their contributions.

The foundations and donors that support the human rights movement acted as positive agents of change in promoting the use of open source software. Nearly a decade ago, they began to request that the technology created with their support be designed as open and available to others. This is key for sustainability and replication, and quite likely allows donors to maximize the impact of their portfolios. This openness, especially if expanded beyond software, will be pivotal for the inclusion of Global South and grassroots organizations in the design, adoption, and evaluation of solutions that are tailored for them. Open source software is not necessarily cheaper to develop, but it is often available with few licensing and use restrictions. It also reduces dependency and promotes collaboration among distributed and culturally diverse communities.

An important consideration when thinking about technology is the fact that the same type of adaptation that human rights practitioners can make to advance accountability, transparency, and justice could be made by other actors – from governments and corporations to organized criminals and non-state actors. In that sense, most technologies could have dual or multiple uses, including for abuse and repression of human rights. For that reason, and as Lea Shaver concludes in Chapter 2, it is critical that human rights practitioners find avenues to exercise scrutiny and oversight over technological developments in order to minimize harm.

Finally, we must consider what type of technology we should be prepared to confront in the future. What most practitioners assume fits under “human rights technology” lies within the realm of information and communication technologies, or ICTs. But the uses of technology in the human rights context already go beyond this domain. Contemporary examples of this include the use of remote sensing by international organizations to find incidents of violenceFootnote ¹⁵ or cultural heritage destruction,Footnote ¹⁶ the growing interest in unmanned aerial vehicles (UAVs, or drones) to access unreachable areas,Footnote ¹⁷ and the use of DNA technology by forensic anthropologists to uncover evidence of mass atrocities.Footnote ¹⁸

IV What Technological Trends Could Shape the Future of Human Rights Practice?

Popular culture plays an important role in shaping the way that human rights practitioners think about technology. We tend to be very generic when discussing the effects of technology in society. For example, it is common to see contemporary issues framed as “the impact of social media” on relationships or “the effect of mobile technology” on the economy, rather than on how companies, governments, communities, and individuals have integrated technology into our lives and societies. Thinking of technology as an entity divorced from human action is an inadequate starting point for discussing the future of human rights technology. If we were to follow that line of abstraction, we would risk ending up with a teleological framing of technology that authors like Kevin Kelly have proposed.Footnote ¹⁹ For Kelly, there is a super-organism of technology, a “technium,” in the global interconnected system of technology that is “partly indigenous to the physics of technology itself.” To think of the future of human rights technology, we need to avoid that path. Humans have created technology, and humans have used technology to alter society. We should avoid giving agency to technology and remind ourselves constantly that technology is created by people and organizations with agendas. These are agendas that will impact us, and we should aim to influence them.

To effectively shape these agendas, practitioners need a better and more specific understanding of the trends that will shape the future of human rights technology. In digital security, for example, we can expect an expanded use of technology, including end-to-end encryption, a system of communication in which encryption ensures that only the intended recipient can read the message; multifactor authentication, a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism; and zero-knowledge encryption, a process that prevents a service provider from knowing anything about the user data that it is storing or transmitting.

In issues related to research and fact-finding, we can expect an increased use of UAVs, or drones, resulting in an increased availability of aerial images for documentation of human rights and humanitarian situationsFootnote ²⁰; an expanded use of remote sensing and satellite imagery, which has become less expensive and more available as more firms enter the market and satellite technology improvesFootnote ²¹; and an increased use of open source intelligence, knowledge produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific investigative requirement.Footnote ²²

In the case of advocacy, we are likely to see an expanded use of complex visualization to support the narrative of human rights accountability efforts. The work of SITU Research, an organization working in design, visualization, and spatial analysis to facilitate the analysis and presentation of evidence documenting the destruction of sites of cultural heritage in Timbuktu, Mali, is an excellent example. Created in collaboration with the International Criminal Court’s Office of the Prosecutor, SITU Research built a platform that combines geospatial information, historical satellite imagery, photographs, open source videos, and other forms of site documentation. The Office of the Prosecutor used SITU’s tool successfully at the trial proceedings at the International Criminal Court in 2016.Footnote ²³ This work is part an emergent field called forensic architecture, first developed at Goldsmiths College, University of London.Footnote ²⁴ It refers to “the practice of treating common elements of our built environment as entry points through which to interrogate the present.”Footnote ²⁵

The continued development of areas and projects like these will also be accompanied by new efforts in areas where technological trends are moving rapidly. While not exclusive, concepts like artificial intelligence, blockchain, sensors, open source hardware, and the Internet of Things reflect areas that are likely to offer fertile ground for the development of human rights technology and applications.

V Conclusion

Events of the past five years have significantly shaped the discourse around human rights technology. What has been learned and confirmed after Edward Snowden’s revelations of mass and unchecked surveillance by nation-states and corporations has necessarily focused the attention of global civil society on the dire effects of surveillance and the need to counter them.Footnote ⁵⁰ The state of surveillance has cast a dystopian shadow over the future of human rights, as Mark Latonero points out in Chapter 7, where practitioners fear technology will be used for control rather than liberation. The hypersurveillance practices of our times, as well as the role that technology plays in them, are indeed an extensive attack on human rights.Footnote ⁵¹ However, human rights practitioners should not let that hinder their ability to imagine alternative visions that could guide the intersection of human rights and technology.

The technologies discussed in this chapter do not represent an exhaustive compilation of trends that will shape the future of human rights practice, but rather are a starting point to expand our understanding of what technology could do for us in the near future. Challenging current technology transfer models and expanding the ecosystem of actors around them is key, because in creating a more inclusive, deliberate, and forward-looking interdisciplinary field around human rights technology, we will be creating a better opportunity to advance the larger human rights field.

A change in the dynamics of technology transfer will challenge the traditionally asymmetrical power dynamics between human rights practitioners and their transnational supporters. We can foster this by promoting capacity-building in the Global South, favoring open source software and hardware, and critically evaluating budgetary allotments to technology. In the process, grassroots practitioners will be at the helm of designing and adapting human rights technology. We must be conscious that this will challenge the growth of professional opportunities for Global North practitioners. There are important questions that will be critical for any next step. Can human rights play a role in the governing of technology? What role can the private sector play in advancing human rights technology? Can human rights challenges drive technological innovation? To answer them, we should be open to interdisciplinary conversations like the one taking place in this volume, and encourage an inclusive and participatory multistakeholder ecosystem.

The approach of human rights practitioners to technology will be a determining factor in their ability to advance accountability, transparency, and justice in the years to come. This book is an invitation to imagine the future of the intersection of human rights technology and human rights practice. For this intersection to benefit practitioners, it must adopt a solidarity-based framework for technology transfer.

A solidarity approach requires technologists to understand and respect the cultural context of the environment they are working within. They must reimagine the relationship as bidirectional and characterize their counterparts in technology transfer as active collaborators. Technologists must establish partner relationships with practitioners, from designing solutions that involve technology all the way through to evaluating them. Practitioners should also be able to tinker with and modify the technologies they are using, and technologists should support them in doing so. This commitment should be reflected in the timeline, budget, and conceptualization of the project. Solidarity requires careful consideration of how technology may displace human resources or compete with scarce resources available in the human rights funding landscape. This technology transfer approach prioritizes human capacity and sustainability above technical complexity and sophistication. Finally, technologists must continuously question their own role within larger power structures – are they helping to reduce the burden of inequality and dependency, or are they just recreating it through the deployment of technology? Ultimately, a solidarity approach demands that technologists not contribute to long-term inequalities while working with human rights workers and communities in crisis.