Policy Recommendations: Internet Freedom

Protecting and Promoting Internet Freedom

For Policymakers

Reject undue restrictions on access to information and free expression, especially during a pandemic. Governments should support and maintain access to the internet and refrain from banning social media and messaging platforms. While such services may present genuine societal and national security concerns, bans constitute an arbitrary and disproportionate response that unduly restricts users’ cultural, social, and political speech. Governments should address any legitimate human rights or other risks posed by such services through standard democratic mechanisms, including legislation passed in consultation with civil society experts and affected stakeholders, rather than resorting to national security orders and emergency measures.

Take action to address the digital divide. With jobs and schooling moving online as a result of COVID-19, the repercussions of unequal access to the internet are worsening. In the short term, governments should work with service providers to lift data caps and waive fees for late payments; they should also support community-based initiatives to provide secure public access points and to lend electronic devices to individuals who need them. Longer-term efforts could include expanding access and building internet infrastructure for underserved areas and populations, ensuring that connectivity is affordable regardless of income level, and enacting strong legal protections for user privacy and net neutrality.

Bolster cyber diplomacy in defense of an open, free, and global internet. Diplomats should make greater efforts to push back against data localization requirements around the world, particularly in repressive countries where the human rights implications for local users are stark. In the United States, the proposed Cyber Diplomacy Act (H.R.739) would establish an Office of International Cyberspace Policy within the State Department, headed by an ambassador for cyberspace, to lead cyber diplomacy efforts. The office would be tasked with implementing a US international cyber policy that advances democratic principles and promotes an open, interoperable, and secure internet governed by a multistakeholder model. The legislation requires the inclusion of internet freedom in annual State Department country assessments and the formulation of a strategy for engaging foreign governments to develop international norms of responsible state behavior on cyber issues.

Lead by example. Freedom House research consistently shows that governments learn from one another, copying restrictive policies and actions from foreign states to implement at home. This includes less free governments that cite the actions of democracies to justify their own repressive policies. Democratic leaders should demonstrate respect for internet freedom principles by adhering to domestic legislation in line with international human rights laws and standards, and by refraining from rhetoric that undermines these standards.

Preserve broad protections against intermediary liability. Companies should continue to benefit from safe-harbor protections for most user-generated and third-party content appearing on their platforms, in keeping with principles that have allowed for a historic blossoming of artistic expression, economic activity, and social campaigning. Policies ostensibly meant to enforce political neutrality would in practice open the door to politicized government interference and negatively impact “good Samaritan” rules that enable companies to moderate harmful content without fear of unfair legal consequences. In line with the Manila Principles, governments should work together with technical, legal, and human rights experts to establish meaningful oversight measures for technology companies, including the ability to evaluate their content moderation practices for transparency, proportionality, and the effectiveness of appeals processes.

Ensure that all internet-related laws and practices adhere to international human rights law and standards. National governments should establish periodic reviews to assess whether their laws and practices regarding internet freedom conform to the principles outlined in the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. Any undue restrictions on internet freedom—including the blocking of political websites, internet shutdowns, arrests for nonviolent speech, or extralegal surveillance—should cease immediately.

For the Private Sector

Ensure fair and transparent content moderation. To accomplish this, private companies should do the following:              

• Prioritize users’ free expression and access to information, particularly for content that can be considered journalism, discussion of human rights, educational materials, or political, social, cultural, religious, and artistic expression.
• Clearly and concretely define in their guidelines and terms of service what speech is not permissible, what aims such restrictions serve, and how the company assesses content.
• When appropriate, consider less invasive alternatives to content removal, such as labeling, fact-checking, adding context, and design changes that grant users more control over their information digest.
• Ensure that content removal requests from governments are in compliance with international human rights standards and use all available channels to push back against problematic requests.
• Publish detailed transparency reports on content takedowns—both for those initiated by governments and for those undertaken by the companies themselves.
• Provide an efficient and timely avenue of appeal for users who believe that their rights were unduly restricted, including through censorship, banning, assignment of labels, or demonetization of posts.
• Refrain from relying on automated systems for flagging and removing content without a meaningful opportunity for human review.

Resist government orders to shut down internet connectivity or ban digital services. Service providers should use all available legal channels to push back on such requests from state agencies, whether they are official or informal. If companies cannot resist demands in full, they should ensure that any restrictions or disruptions are as limited as possible in duration, geographic scope, and the type of content affected. Companies should also thoroughly document government demands internally, and notify users as to why connectivity or content may be restricted, especially in countries where government actions lack transparency.

Adhere to the UN Guiding Principles on Business and Human Rights and conduct human rights impact assessments for new markets, with a commitment to do no harm. Companies should commit to respecting the rights of their users and addressing any adverse impact that their products might have on human rights. Companies should not build tools that prevent individuals from exercising their right to free expression, turn user data over to governments with poor human rights records, or provide surveillance or law enforcement equipment that is likely to be used to commit human rights violations. International companies should not seek to operate in countries where they know they will be forced to violate international human rights principles. Where companies do operate, they should conduct periodic assessments to fully understand how their products and actions might affect rights like freedom of expression or privacy. When a product is found to have been used for human rights violations, companies should suspend sales to the perpetrating party and develop an immediate action plan to mitigate harm and prevent further abuse.

Engage in continuous dialogue with civil society organizations to understand the implications of company policies and products. Companies should seek out local expertise on the political and cultural context in markets where they have a presence or where their products are widely used. These consultations with civil society groups should inform the companies’ approach to content moderation, managing government requests, and countering disinformation, among other activities.

For Civil Society

Conduct research on and raise awareness about censorship and content manipulation. Civil society groups should engage in innovative initiatives that inform the public about government censorship, as well as investigate and expose disinformation campaigns, including their origins and objectives. Studies and surveys have shown that when users become more aware of censorship and disinformation, they often take actions that enhance internet freedom and protect fellow users.

Utilize strategic litigation to push back against shutdowns and censorship. Civil society groups and their allies have won victories in court that reversed network shutdowns and censorship decisions in Indonesia, India, Pakistan, Sudan, Togo, and Zimbabwe. They should participate in strategic litigation whenever possible, or provide friend-of-the-court filings that explain how certain forms or uses of digital technology undermine human rights. Civil society organizations should consider carefully whether to bring cases against governments themselves or support others seeking to do so, given that the process can be complicated and costly.

Build digital literacy among the public. Civil society organizations should educate netizens about how to spot disinformation and misinformation on social media, addressing topics such as altered content, so-called deepfake videos, suspicious spelling or phrasing, and inadequate citation. Organizations should also inform internet users about how to report false or suspicious content and how to flag this content for friends and family.

Work together with policymakers and the private sector to design and champion effective solutions. Some of the most important advances in privacy and free expression—such as the widespread adoption of end-to-end encryption or HTTPS browsing—derive from innovations in technical standards and product design that were effectively pushed by advocacy groups. Multistakeholder efforts will be needed to ensure that leading democracies can offer a viable alternative to the authoritarian model of cyber sovereignty.

Continue to raise awareness about government censorship and surveillance efforts. Civil society groups globally should engage in innovative initiatives that inform the public about government censorship and surveillance, imprisoned journalists and online activists, and best practices for protecting internet freedom, particularly in the lead-up to elections, when internet freedom violations are most acute. Studies and surveys have shown that when users become more aware of censorship, they often take actions that enhance internet freedom and protect fellow users.

Protecting Human Rights from Intrusive Surveillance

For Policymakers

Ensure that new surveillance programs meet international human rights standards for necessity, proportionality, and independent oversight. New surveillance programs meant to help combat COVID-19 must first be shown to be necessary—in the view of public health experts—for containing the spread of the virus. Any program should also be narrowly tailored, minimizing what information is collected, who collects it, and how it can be used. Any sharing of data must be transparent and subject to independent review. The information collected should be firewalled from other uses and generally destroyed after the virus is brought under control, so that authorities and private companies cannot access it later for political, law enforcement, or commercial purposes. Any programs involving the use of smartphone apps should be voluntary, with no participation requirements for access to public services.

Enact robust data privacy legislation and protect encryption. In the United States, policymakers should pass a federal electronic privacy law that provides robust data protections and harmonizes rules among the 50 states. They should also resist legislative attempts to undermine encrypted services, including through the use of “back doors.” Individuals should have control over their information and the right to access it, delete it, and transfer it to the providers of their choosing. Governments should have the ability to access personal data only in limited circumstances as prescribed by law, subject to judicial authorization, and within a specific time frame. Companies should also be required to disclose in nontechnical language how they use customer data, details on third parties that have access to the data, and how third parties are allowed to use the data. Companies should also be required to notify customers in a timely fashion if their information is compromised. Given the technical measures—including cyberattacks—that both foreign and domestic actors use to access citizens’ personal information, data privacy legislation should be paired with cybersecurity requirements concerning the collection and storage of user data.

Firmly restrict new surveillance technologies that employ biometrics and artificial intelligence. Lawmakers should pass a moratorium on the use of facial- and other affect-recognition technologies in sensitive areas such as law enforcement, education, employment, health care, and housing, and future legislation governing these technologies should be informed by additional research on their potential harms to human rights. State and local governments should follow the lead of municipalities in California, Oregon, Massachusetts, and other US states that have passed moratoria or bans on the use of biometric and AI surveillance.

Improve oversight of and create alternatives to algorithmic decision-making. Governments should be explicit about how, when, where, and why they use automated systems. Procurement processes for such technology should be transparent and include human rights–based impact assessments. Government agencies should create pathways to ensure human oversight and explanation, especially when algorithmic decision-making determines access to public services like education, health care, and housing. Automated systems should be routinely audited to ensure that they comply with antidiscrimination laws and other rights-based standards. Furthermore, governments should establish mechanisms for appeal and redress in cases of discrimination by algorithm.

Restrict the export of censorship and surveillance technology. Given the significant potential for abuse, trade in censorship and surveillance technologies should be restricted, particularly for end users that are known to have committed human rights violations. The United States is currently updating export control requirements for emerging technologies, foundational technologies, and items used in crime control and detection. Any final rule issued by the US government should ensure that technologies enabling monitoring, surveillance, and the interception or collection of information and communications—including systems that use machine learning, natural language processing, and deep learning—are included on the Commerce Control List and cannot be sold to countries rated Partly Free or Not Free by any Freedom House publication.

Require businesses exporting dual-use technologies to report annually on the impacts of their exports. Reports should include a list of countries to which they have exported such technologies, potential human rights concerns in each of those countries, a summary of pre-export due diligence undertaken by businesses to ensure their products are not misused, any human rights violations that have occurred as a result of the use or potential use of their technologies, and any efforts undertaken to mitigate the harm done and prevent future abuses. Further, any official government export guidance should urge businesses to exercise caution and adhere to international principles on business and human rights when exporting dual-use technologies to countries rated Partly Free or Not Free by Freedom House.

Strictly regulate the use of social media surveillance tools and the collection of social media information by government agencies and law enforcement. To maintain democratic standards, any social media surveillance program employed by government or law enforcement must occur under stringent oversight and operate with transparency, including through sustained dialogue with local communities. Social media surveillance should not be used to proactively monitor peaceful protests or individuals’ involvement in nonviolent political groups. Government agencies should not conduct blanket collection of social media data as part of immigration or visa evaluations. Given the technical limitations and known inaccuracy rates of such technology, relevant oversight agencies should conduct human rights audits of the tools themselves and their use, and release their results to the public. They should further be empowered to impose penalties, and require that those harmed be granted remedy.

For the Private Sector

Design public health apps with privacy and security in mind. Software developers should build privacy and security considerations into the architecture of any new tool. From the start, clear nontechnical language should inform users about what personal information is used, how it is stored, and with whom it is shared. Users should have the opportunity to explicitly consent to the collection of data, especially when the information is not strictly necessary for the application’s core public health function. Developers should make their platforms available for third-party privacy and security audits and include opportunities for effective petition and redress for abuses. In addition, companies should avoid working with governments and private actors that perpetrate or facilitate human rights abuses.

Limit the ability of government authorities and law enforcement to conduct blanket social media surveillance. To the extent possible, social media companies should proactively assess and publicly disclose the different actors that can access their data through APIs (application programming interfaces) and large databases of semipublic data. Greater transparency around social media surveillance practices can help inform improved oversight and accountability mechanisms that can prevent instances where social media data is used to violate fundamental rights. Companies should also disclose and conduct due diligence on any existing and future partnerships with third parties to ensure they are not providing user information to companies that sell the data to governments of countries rated Partly Free or Not Free by Freedom House.

Grant users control over their information and ensure that it is not being misused. Individuals should have the ability to see what personal data companies are collecting about them and how the data is used, as well as the ability to easily turn off data collection and tracking features. Companies also need to ensure that user data is not being used or shared in ways that customers have not explicitly authorized.

Train technologists and engineers on the human rights implications of the products they are building and on international best practices for preventing their abuse. It is imperative that those building new technologies understand the ways in which the technologies can be abused or manipulated. As part of this effort, companies should conduct periodic assessments to fully understand how their products and actions might affect rights like freedom of expression or privacy. Upon completion of these assessments, companies should develop actionable plans to remedy any evident or potential harm.

For Civil Society

Conduct research on and raise awareness of intrusive new surveillance technologies. Civil society groups should engage in innovative initiatives that inform the public about the privacy and other human rights harms wrought by unchecked state and corporate data collection. Watchdog groups should engage in technical analysis to determine the human rights risks posed by smartphone apps, biometric surveillance, and other emerging technologies.

Utilize strategic litigation to push back against state surveillance. Civil society groups and their allies have won victories in court that limited state surveillance in Brazil, Estonia, Germany, South Africa, and the United States. They should participate in strategic litigation whenever possible, or provide friend-of-the-court filings that explain how digital surveillance can undermine human rights. Civil society organizations should consider carefully whether to bring cases against governments themselves or support others seeking to do so, given that the process can be complicated and costly.

Securing Elections

For Policymakers

Improve transparency and oversight of online political advertisements. In the United States, the Honest Ads Act (S.1356/H.R.2592) would modernize existing law by applying disclosure requirements to campaign advertising and requiring large digital platforms to maintain a public file of all electioneering communications that includes a copy of each ad, when it was published, its target audience, the number of views generated, and the contact information of the purchaser. The Honest Ads Act would also require platforms that distribute political ads to make “reasonable efforts” to ensure that they are not being purchased by foreign actors, directly or indirectly.

Address the use of bots in social media manipulation. In the United States, the Bot Disclosure and Accountability Act (S.2125) would authorize the Federal Trade Commission to require the conspicuous and public disclosure of bots intended to replicate human activity. The legislation would also prohibit candidates, campaigns, and political organizations from using such bots, particularly to disguise political advertising or otherwise deceive voters by giving false impressions of support from actual users.

Protect elections from cyberattacks with paper ballots and election audits. According to the recommendations of the bipartisan report on Russian interference in the 2016 election released by the US Senate Select Committee on Intelligence, paper ballots ensure votes have a verifiable paper trail, while risk-limiting audits help ensure the accuracy of results. In the United States, the Protecting American Votes and Election Act (S.1472/H.R.2754) would mandate the use of paper ballots and audits in federal elections, and provide funding for states to purchase new ballot-scanning machines.

For the Private Sector

Develop rapid response teams to address cybersecurity and disinformation incidents around elections. Ahead of significant elections and referendums in countries around the world, social media companies and other content providers should create specialized teams that anticipate digital interference, and devise strategies to prevent interference tactics and mitigate their effects. When designing and implementing new tools to address cybersecurity and disinformation, companies should communicate openly about what new policies they may be putting in place ahead of elections, and engage with local civil society organizations that can provide expertise on the political and cultural contexts in which companies work.

Ensure political advertisements are transparent and adhere to strict content standards. Companies should rigorously vet political advertisements before they are posted on their platforms to ensure legitimate association with domestic actors and compliance with applicable electoral laws. Companies should also clearly identify who has purchased each advertisement.

Improve information sharing among social media companies and between public and private sectors. As recommended by the US Senate Select Committee on Intelligence in its bipartisan report on Russia’s use of social media to interfere in the 2016 US election, social media companies should improve and formalize mechanisms that allow them to share information about malicious activity and potential vulnerabilities on their platforms amongst themselves and with governments. This will allow faster and more effective responses to foreign disinformation campaigns and other forms of interference, which often span multiple platforms. Social media users should be notified when they may have been exposed to such foreign activity, and be given information necessary to understand the malicious nature of the content.

For Civil Society

Conduct early-warning analysis on election interference tactics likely to occur in a country, and mobilize advocacy campaigns to prevent negative impacts. Civil society organizations (CSOs) should educate voters about how to spot political disinformation and flag misleading content on social media, particularly on private messaging platforms. Advocacy efforts should place public pressure on governments and telecommunications providers to refrain from blocking online content or restricting network connectivity. CSOs should also engage with election commissions to flag potential interference tactics and develop strategies to mitigate other harms to the electoral process.