Cyber Security Awareness Month: Privacy and Security Must Go Together
Since 2004, October has been designated National Cyber Security Awareness Month in the United States. Many other countries have followed suit, as part of the effort to raise awareness about the importance of cybersecurity, and how we can all work together to improve it.
However, cyber security (or sometimes, just ‘cyber’) has not only become a term with multiple and sometimes contradictory meanings - that go from digital security or digital diplomacy to criminal activities with a digital component - but also a frequent excuse to adopt policy decisions that are misguided and end up affecting our privacy and other human rights.
Privacy International has been working to identify what a ‘good’ cyber security approach should look like: to reconcile security and privacy, to build trust, and to protect our devices, networks, and ultimately all of us - the users of those devices.
We believe cyber security should be treated as a public good, to benefit everyone through sensible policies that address underlying systemic security issues, such as identifying and patching vulnerabilities, or pushing for safeguards that limit government hacking powers, instead of focusing on criminalising behaviours or using ‘cyber’ as an excuse to implement new and more invasive surveillance laws.
Developing frameworks and legislation to safeguard privacy and security
Both “cyber security” and “cyber crime” are terms widely used but often poorly understood. Worse, they often get included in the same discussions, with many governments approaching policy making from a misguided perspective.
To help overcome these confusions we have developed a briefing with an overview of the terminology, concepts and trends in addressing cyber security and cyber crime, describing the differences between them and associated challenges for the protection of peoples’ security and their human rights.
We have also developed an explainer to help understand these differences, with a useful list of “do’s” and “dont’s” for advocates and decision makers, as well as a podcast that illustrates key elements and examples from cyber security frameworks and cyber crime legislation around the world.
The way forward
The Privacy International Network has been involved in global cyber security policy discussions, through our advocacy on data protection (which contains several provisions regarding data breaches and digital security), fighting ill-conceived cyber laws, and delivering training to relevant stakeholders, most recently at the OAS Cyber Security Symposium, where we delivered a two-day workshop on cyber security and human rights.
There is often the temptation to cover everything to do with “cyber” in one law. But cyber security and cyber crime must be considered as separate issues, with safeguards designed to address the unique privacy and security implications of each.
Moreover, states should not shroud cyber security in secrecy, or use cyber crime laws as an excuse to criminalise legitimate behaviours and expand surveillance powers. This is why the input of civil society is critical in the law-making process - truly effective security must be done as a collaboration and no one actor can claim to have the solution.
We need to build on previous successes and avoid mistakes of the past. We hope these tools will help advocates to make specific demands to their governments, which in turn will help to improve debates on cyber security around the world.