The Evolving Challenge of Applying International Human Rights Law to Cyberspace
Analyzing New National Cybersecurity Laws in East and Southeast Asia
No individual, organization, or nation is an island in cyberspace.
Internet and cyberspace activities often involve cross-border jurisdictions, bringing to rise potential international legal disputes and a conflict of laws.
In June of 2016, the United Nations Human Rights Council (UNHRC) aimed to provide legal guidance on this issue by adding protections for the promotion and enjoyment of human rights on the internet to Article 19 of the Universal Declaration of Human Rights (UDHR), with 193 signatory countries committing their governments to improve internet quality, sustainability, and accessibility.
The initial drafting of the UDHR in 1947 put an emphasis on the notion that all major components of human rights5 are interdependent and inherent to every human. The UDHR harkens back to the legal concept of jus gentium, which supports the notion that institutions are governed by a law common to all and a common good for the international legal order. However, a number of states—including China, Indonesia, India, Russia, and Saudi Arabia—opposed the recent Article 19 amendments, highlighting their allegiance to an “internet sovereignty” (IS) alliance that stipulates that the internet should be governed by states, rather than within a multi-stakeholder model.
“Internet sovereignty” can be explained as a system in which state sovereignty determines borders in cyberspace, enabling a state to control the use of internet technologies in their respective territories.
How does International Human Rights Law (IHRL) Factor into Internet Governance?
Signifying the rise of the ideological opposite of the internet sovereignty model, the 2003 World Summit on the Information Society (WSIS) saw the establishment of the multi-stakeholderism (MSM) concept of internet governance, which focuses on the establishment of “an inclusive information society that require[s] new forms of solidarity, partnership, and cooperation among governments and other stakeholders (i.e., the private sector), civil society, and international organizations.” In light of this dichotomous relationship existing within the governance of cyberspace, I aim to contextualize the influence (or lack thereof) of international law and norms within recent cybersecurity legislation adopted by governments in East and Southeast Asian countries, namely China and Vietnam, with the goal of outlining potential UDHR violations therein. When comparing the fundamental tenets of both the internet governance models, I find that the nations supporting IS models continually breach human rights commitments through politically-incited internet shutdowns, the censorship of dissenting civilian opinions and quelling of civil unrest online, and the surveillance and data gathering of their civilians and businesses for increased control.
Across the widespread academic dialogue on cyberspace governance, most argue that the UDHR is the point of departure for the principles underlining internet governance. Aside from the aforementioned Article 19 amendment that clearly defines internet-based human rights as inalienable to each human, Article 3 of the UDHR is particularly relevant to this issue: “Everyone has the right to life, liberty, and security of person.” Moreover, in the absence of concrete black letter law enforcing human rights within cyberspace, a number of non-state actors have aimed to fill this legal gap in proposing new frameworks; delineating cyberspace rules within existing human rights law; and providing comparable legal frameworks for adaptation. While the private codification of international cybersecurity legal frameworks has advanced in the form of the NATO Cooperative’s Cyber Defense Centre of Excellence’s Tallinn Manual, no cross-regional multilateral international law convention exists for the governing of cyberspace.
The 2013 Tallinn Manual (and its second version, Tallinn Manual 2.0, released in 2017) is a non-binding resource for legal advisers dealing with cyber issues. It was written by 19 international law experts and is an exhaustive guide of the lex lata, (the law as it exists) illustrating how existing international law applies to cyber operations. Importantly, however, is the notion that the authors assiduously avoided the inclusion of statements that reflect lex ferenda (what the law should be), as the Manual is staunchly politically neutral.
What Cybersecurity Law Already Exists?
Cyberspace has often been called the “fourth theatre of military operations,” and as such, the field has been dominated by militaristic interpretations of cybersecurity law, as it justifiably factors centrally in both state behaviour and international norm-setting practices. This is particularly obvious in The Council of Europe’s Convention on Cybercrime, which is the only prominent example of a multilateral, legally binding instrument that aims to tackle crimes committed in cyberspace. However, once again this Convention relies upon domestic law and cooperation rather than internationally enforceable cybersecurity standards, and its few signatories compound the issue of its enforceability.
To add further complication to this field, there is no international legal body with authorization to investigate or prosecute acts of aggression committed over the internet, and as such, nations have historically resorted to legal principles of territorial jurisdiction in response to cyberattacks.
Legris and Walas point to the legal void caused by the internet governance conflict and argue that cyberspace demonstrates “an essential resistance to the application of international law." However, while cybersecurity and human rights-centric internet governance has yet to successfully establish new customary international law, some argue that the custom is emerging. This paper will outline potential counterpoints to this argument, as the cases of China and Vietnam’s newest cybersecurity legislation point towards the deepening of this ideological divide.
To explain this divide, the term cyber-balkanization is useful. It describes the process of a global network breaking off into sets of smaller, community-based groups of users. This can apply on a larger scale to countries like China and Vietnam who have legally reinforced technological barriers against their citizens’ interactions with other state internet communities.
Analyzing the Application of IHRL in East and Southeast Asia
Shackelford has argued that “State practice has not kept pace with popular opinion on whether or not either Internet access or cybersecurity should be considered human rights.” Despite a widespread lack of inclusion of internet access in existing cybersecurity laws, the academic literature and the consensus from the multi-stakeholder internet governance camp speaks to the legal power of the individual that has been enhanced by access to the internet, new communication technologies, and social media. By allowing individuals to express views without government affiliation, they are potently exercising their UDHR rights.
Freedom House’s 2019 iteration of their Freedom on the Net project identified three main methods in which states may attempt to control access to internet content and the transmission of information. Such methods include the creation of obstacles to user access which, for example, block specific applications or technologies, place limits on user content, (embodied by the act of filtering and blocking websites and/or manipulating online content(, and the violate user rights, including the enactment of legal protections and restrictions on online activity. The following case studies aim to show how China and Vietnam can exert their control over their citizens for political stability and to ensure the survival of the internet sovereignty model.
Case Study #1: China
China has been noted as recently “retrenching” its cyber censorship practices, bringing to light a fundamental breach of the UDHR’s Article 19, wherein it states that “Everyone has the right to freedom of opinion and expression; this right includes the freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers.”
Before engaging in a comparative analysis of the UDHR and China’s 2017 Cybersecurity Law (TCL), it is important to note that preceding laws on cybersecurity were based on an “infiltration model” that integrated cybersecurity principles into other existing laws, administrative, regulations, departmental rules, and judicial interpretations. As Zhizheng Wang explains, in recent decades this legislative green light for mass data collection has been extended across the entire Chinese legal system: “Constitutional law, penal laws, penal litigation laws, state security laws, and other public-sector laws […] grant government extensive rights and sizeable flexibility for investigation, seizure, and search, especially in the matter of state security or keeping social order.”
Meirong Guo argues that the TCL fails to fully reflect the protection of fundamental rights of Chinese citizens, focusing on the lack of freedom of speech and publication stipulations, “the citizens’ right of criticisms, suggestions, complaints, charges, and exposures,” and “the freedom to engage in scientific research, literary and artistic creation, and other cultural pursuits.” This notion is further supported by the meaningful research conducted by the University of Toronto-based Citizen Lab, an internet human rights watchdog and think tank. In July of 2019, Jeffrey Knockel and Ruohan Xiong published an article that explains how the Chinese state-owned enterprise Tencent censors images within its messaging platform WeChat in real-time.
This remarkably advanced technology targets political content shared on the platform, such as images that are related to government dissent and social resistance. This deeply engrained technology is a fundamental breach of the UDHR’s Article 19, which was already outlined, but also of Article 20, which states, “Everyone has the right to freedom of peaceful assembly and association.” By denying online freedoms of assembly into groups that discuss political dissent, the Chinese government is violating Article 20 within its controls of cyberspace.
Case Study #2: Vietnam
Perhaps the issue of greater concern with regards to China’s routine breaches of IHRL documents, such as the UDHR, is the fact that they are systematically influencing other states to act similarly. Vietnam is a noted supporter of the IS model of IG that introduced cybersecurity laws like China’s in 2018. These laws, which codify restrictions to freedom of expression online by maintaining state control over dissenting information and preventing use of mass communication technologies to coordinate protests and political movements, were introduced shortly after Vietnam attended China’s two-week “Seminar on Cyberspace Management for Officials of Countries along the Belt and Road Initiative” in 2017. In June of 2018, the National Assembly of Vietnam passed their Cybersecurity Law despite facing pervasive public dissent and a signed petition by over 65,000 Vietnamese people.
As Giang Nguyen-Thu argues, social media is playing an increasingly important role in determining public opinions in Vietnam. Facebook has become a platform for citizens to defend what they perceive as the public good. He further emphasizes that the Vietnamese government has noted this societal change and therefore have instated similar information controls on its citizens, like those implemented by China.
Currently, Vietnam blocks dissenting voices online by denying its citizens access to blogs that express dissenting political opinions against the one-party state. It also aims to flood out dissenting voices on social media through its employment of “Force 47,” a team of 10,000 civil servants that defend the party’s policies on social media.39 Unlike China, however, Vietnam is not as technologically equipped to block these social media sites since they currently cannot provide equivalent domestic platforms to their citizens. Despite their technological barriers, Vietnam has previously shut down internet access to these platforms successfully during increased periods of domestic civil unrest.
In May of 2016, the Vietnamese government blocked citizen access to Facebook during U.S. President Obama’s visit and during the weeks of protests leading up to the event. Vietnamese authorities were also reported to have conducted a crackdown on human rights activists, detaining journalists and human rights defenders and attempting to access their private accounts on their cell phones during detainment. Despite the fact that Vietnam is a signatory to the UDHR, which includes general protections for freedom of speech both within the medium of the internet and in normal society, it is clear that the Vietnamese government is actively violating international human rights law within the field of cybersecurity.
How Can IHRL Be Reinforced in the Cyber Era?
To conclude, much work is to be done to reinforce international human rights law across the internet sovereignty-supporting states such as China, Russia, India, Saudi Arabia, and many more. However, in the face of China’s rise as an ideological leader and supporter of “digital authoritarianism,” how can states collaborate to exert control over the enactment of human rights-breaching cybersecurity laws? Authors representing a wide array of cybersecurity and IHRL literature were consulted for the purpose of this analysis, which concluded that they generally supported the establishment of IHRL principles that return to natural law’s most fundamental principles: a respect for human rights. As such, adding “teeth” to the UDHR could be a meaningful way to accomplish this, as it already holds universal acceptance.
Alkabajai, Mohamad and Adams, Jackson. “Cyberspace: A Vouch for Alternative Legal Mechanisms,” International Journal of Business & Cyber Security 1:1 (2016), p. 10.
“ETS 185 – Convention on Cybercrime,” Council of Europe 185 (2001): p. 1-25.
Franklin, Benjamin. Poor Richard’s Almanack (1738).
“Freedom on the Net Methodology,” Freedom House, Accessed December 11, 2019, https://freedomhouse.org/report/freedom-net-methodology .
Guo, Meirong. “China’s cybersecurity legislation, it’s relevance to critical infrastructures and the challenges it faces,” International Joiurnal of Critical Infrastructure Protection 22 (2018): p. 140.
Howell, Catherine and West, Darrell M. “The internet as a human right,” Brookings Institution, November 7, 2016, https://www.brookings.edu/blog/techtank/2016/11/07/the-internet-as-a-human-right/.
International Court of Justice, North Sea Continental Shelf cases, supra note 12, p. 43; 74.
International Covenant on Civil and Political Rights, 16 December 1996, accessible at https://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx.
Knockel, Jeffrey and Xiong, Ruohan. “(Can’t) Picture This 2: An Analysis of WeChat’s Realtime Image Filtering in Chats,” The Citizen Lab, July 15, 2019: accessible at https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/.
Kulesza, Joanna and Balleste, Roy. “Signs and Portents in Cyberspace: The Rise of Jus Internet as a New Order in International Law,” St. Thomas University School of Law, 2014: p. 1314.
Legris, Emily and Walas, Dimitri. “Regulation of Cyberspace by International Law: Reflection on Needs and Methods,” ESIL Reflections 7: 1 (2018), p. 1.
Lessig, Lawrence. Remix: Making Art and Commerce thrive in the Hybrid Economy, [publisher] (2008): p. 130; 248-49.
Nguyen-Thu, Giang. “Vietnamese Media Going Social: Connectivism, Collectivism, and Conservatism,” The Journal of Asian Studies 77:4 (November 2018): p. 895.
Shackelford, Scott J. “Should Cybersecurity be a Human Right: Exploring the Shared Responsibility of Cyber Peace,” Stanford Journal of International Law 55: 2 (2019) p. 156.
Shahbaz, Adrian. “The Rise of Digital Authoritarianism – Freedom on the Net 2018,” Freedom House, (2018), accessible at: https://freedomhouse.org/sites/default/files/FOTN_2018_Final%20Booklet_11_1_2018.pdf.
Stahl, William M. “The Uncharted Waters of Cyberspace: Applying the Principles of International Maritime Law to the Problem of Cybersecurity,” Georgia Journal of International Law 40: 1 (2011), p. 249-251.
Tallinn Manual 2.0,” NATO Cooperative Cyber Defence Centre of Excellence, accessible at: https://ccdcoe.org/research/tallinn-manual/.
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Cambridge University Press, February 2017, p. 3.
Trinidade, Antônio Augusto Cançado. “Introductory Note: Universal Declaration of Human Rights,” Audiovisual Library of International Law.
Universal Declaration of Human Rights, Article 3, 10 December 1948, accessible at https://www.un.org/en/universal-declaration-human-rights/.
“Vietnam blocks Facebook and cracks down on human rights activists during Obama visit,” Access Now, 23 May 2016: accessible at https://www.accessnow.org/vietnam-blocks-facebook-human-rights-obama/.
Zhizheng Wang, “Systematic Government Access to Private-Sector Data in China,” International Data Privacy Law 2 (4): 245.
Meet Caroline Wesley
My name is Caroline Wesley, and I am a Researcher at the Citizen Lab, an interdisciplinary research organization focused upon issues of internet governance, cybersecurity, and human rights.
I hold a BA from McGill University in Political Science and International Development Studies, as well as a Master of Global Affairs from the Munk School of Global Affairs and Public Policy at the University of Toronto, where I specialized in both Innovation Policy and East and Southeast Asian Affairs.
I pursued the position of Regional Director of the UofMosaic Fellowship Program to apply my project management and conflict resolution background to this meaningful program composed of Canada’s brightest undergraduate students.
For my research paper, I chose to focus on the intersection of East and Southeast Asian cybersecurity laws with international human rights law, as I was inspired by prominent scholars that I have met in my time at the Munk School as well as in my research at the Citizen Lab.