Four common myths about human rights and security in cyberspace

This blog post was developed from remarks made by Mr. Michael Walma, Cyber Coordinator for Global Affairs Canada, at the FOC WG1 workshop on “A Multistakeholder and Human Rights Approach to Cyber Security”, at the 10th annual Internet Governance Forum (IGF) in João Pessoa, Brazil, Nov 10-13. At the Workshop, the Working Group introduced and sought feedback on a set of draft recommendations it is currently developing to bring multistakeholder processes and human rights into cyber security policy development and decision-making.


We routinely encounter a number of ideas, or “myths”, when discussing human rights and security issues relating to cyberspace at the international level. While these are occasionally advanced unknowingly due to misunderstandings, they are often promoted deliberately in order to further a specific aim. Within this broader cyberspace setting, there are a number of ways that the Working Group’s recommendations can help us clarify these discussions.

Myth 1: There needs to be a trade-off between security and human rights

From Canada’s perspective, there is no trade-off. Security and human rights are mutually reinforcing. People cannot exercise their human rights if they don’t have the security to do so. In Canada, our security is tightly linked to human rights – as in, we are a democracy guided by the rule of law. This only functions in an environment where there is respect for rights and the freedom to exercise those rights. These values define us as a nation – their preservation is the goal of our national security policy. Ultimately, the security of Canadian democracy depends on our respect for these rights.

This is why the Working Group’s definition of cybersecurity is so important. It is rooted in the fact that there is no trade-off between security and human rights.

Myth 2: Cybersecurity is just the business of states

This perception is arising in a variety of international fora, and is not just limited to cybersecurity discussions. The WSIS+10 process offers one example, whereby some strongly advocated to make it an inter-state discussion, excluding other stakeholders, such as civil society and the private sector.

It is a myth, because everyone has a stake in the future of cyberspace. In Canada, much of the infrastructure of the Internet is in private hands. How can you provide security if you do not work with the private sector? The security we are aiming for, as highlighted in the Working Group’s definition of cybersecurity, is the security of individuals. How can you talk about security without engaging with the very people you are trying to secure?

Accordingly, the Working Group’s definition and Recommendation 10 emphasising open, inclusive, and transparent approaches to cybersecurity that involve all stakeholders is very important to Canada in this respect.

Myth 3: The Internet is new, and therefore requires the application of new rules

Proponents of this myth would have us take everything we’ve learned about human rights, crime, and interaction amongst states, and throw it out the window when it comes to cyberspace. In their view, we have to start at zero and renegotiate all the understandings and principles that we have observed for so long. This myth is promoted deliberately by those who would like to see the underpinnings we have relied on for so long to be restricted and redrawn in a way more favorable to their interests.

Canada rejects the notion that we need to start afresh with new rules and understandings. Human rights are the same online as they are offline. State behaviour is constrained by international law, whether it be online or offline. A crime is a crime, whether you break a window and steal jewellery, or break into a server and steal someone’s credit card information.

A closely related myth is that national law has primacy over international law. States have an obligation under international law to respect the human rights of their citizens. States then should not introduce national laws that violate those rights.

In both these instances, Recommendation 4, which calls for cybersecurity laws, policies and practices to be consistent with international law, is crucial.

Myth 4: Information, communications and content can in and of itself be a threat

If you accept this dangerous premise, content becomes a legitimate object of security policy. That is, you open the door to the idea that political speech is a security threat, and subsequently, people exercising their rights become a security threat. It is important that we reject this notion.

As such, Recommendation 5, which states that cybersecurity related laws, policies and practices cannot be used as a pretext to violate human rights is critically important.

For Canada, the approach and kind of work undertaken by the Working Group will be helpful and important for us as we engage in international fora to promote both security and respect for human rights.


The views expressed in this blog represent the views of individual authors, and do not represent the views of the Freedom Online Coalition or its members.

If you are interested in contributing to this blog series as a guest author, please contact the FOC Support Unit at info (at) freedomonlinecoalition.com indicating which forum relevant for cybersecurity debates you are interested in writing about.