Recommendations for human rights based approaches to cybersecurity

These recommendations are a first step towards ensuring that cybersecurity policies and practices are based upon and fully consistent with human rights – effectively, that cybersecurity policies and practices are rights-respecting by design.

1. Cybersecurity policies and decision-making processes should protect and respect human rights.
2. The development of cybersecurity-related laws, policies, and practices should from their inception be human rights respecting by design.
3. Cybersecurity-related laws, policies and practices should enhance the security of persons online and offline, taking into consideration the disproportionate threats faced by individuals and groups at risk.
4. The development and implementation of cybersecurity-related laws, policies and practices should be consistent with international law, including international human rights law and international humanitarian law.
5. Cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights, especially free expression, association, assembly, and privacy.
6. Responses to cyber incidents should not violate human rights.
7. Cybersecurity-related laws, policies and practices should uphold and protect the stability and security of the Internet, and should not undermine the integrity of infrastructure, hardware, software and services.
8. Cybersecurity-related laws, policies and practices should reflect the key role of encryption and anonymity in enabling the exercise of human rights, especially free expression, association, assembly, and privacy.
9. Cybersecurity-related laws, policies and practices should not impede technological developments that contribute to the protection of human rights.
10. Cybersecurity-related laws, policies, and practices at national, regional and international levels should be developed through open, inclusive, and transparent approaches that involve all stakeholders.
11. Stakeholders should promote education, digital literacy, and technical and legal training as a means to improving cybersecurity and the realization of human rights.
12. Human rights respecting cybersecurity best practices should be shared and promoted among all stakeholders.
13. Cybersecurity capacity building has an important role in enhancing the security of persons both online and offline; such efforts should promote human rights respecting approaches to cybersecurity.

Concerns related to specific practices – including surveillance and content control – are addressed in these recommendations in two ways. First, to the extent that cybersecurity is used to advance other unrelated objectives such as censorship or surveillance activities, Recommendation 5 specifically highlights that cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights. Moreover, with regard to content control and surveillance activities relating to cybersecurity, Recommendations 1 and 2 highlight that cybersecurity laws, policies, practices, and decision-making processes should protect and respect human rights.