Policy Recommendations

For Policymakers

Protect privacy and security

Strictly regulate the use of surveillance tools and the collection of personal information by government and law enforcement agencies. Government surveillance programs should adhere to the International Principles on the Application of Human Rights to Communications Surveillance, a framework agreed upon by a broad consortium of civil society groups, industry leaders, and scholars for protecting users’ rights. The principles, which state that all communications surveillance must be legal, necessary, and proportionate, should also be applied to open-source intelligence methods such as social media monitoring and biometric surveillance technologies. In the United States, lawmakers should reform or repeal existing surveillance laws and practices, including those under Section 702 of FISA and EO 12333—actions that may be necessary to secure data-sharing agreements with other democracies and the European Union. Policymakers should also investigate the extent to which commercial surveillance tools, such as spyware and extraction technology, have been used against Americans.

Enact robust data privacy legislation. Governments should enact updated legal frameworks that comprehensively safeguard user information. Individuals should have control over their information, including the right to access it, delete it, and easily transfer it to the providers of their choosing. Companies should be required to limit the collection of consumer data and disclose in plain language how they use it, as well as details on third parties that may access the data and how they are allowed to use it. Companies should be required to notify customers in a timely fashion if their information is compromised. Updated data privacy legislation should also provide a mechanism for independent verification of major foreign and domestic companies’ data-collection practices to ensure compliance with local laws on privacy, nondiscrimination, and consumer protection. In the United States, lawmakers should pass a federal electronic privacy law that provides robust data protections, including for biometric data, and harmonizes rules among the 50 states. The Federal Trade Commission (FTC) and other relevant agencies should be empowered to pursue privacy enforcement using existing authorities.

Protect encryption. Policymakers should recognize that robust encryption is fundamental to cybersecurity, commerce, and human rights, and that weakening encryption endangers the lives of activists, journalists, members of marginalized communities, and ordinary users around the world. Governments should refrain from introducing legislation that mandates the introduction of so-called “back doors” or reduces intermediary liability protections for providers of end-to-end encryption services. In the United States, any reforms to Section 230 of the Communications Decency Act should not undermine the ability of intermediaries and service providers to offer robust encryption.

Restrict the export of censorship and surveillance technology. Democracies should place strict limits on the sale of technologies that enable monitoring, surveillance, interception, or collection of information and communications—including spyware, extraction technology, and systems whose machine learning, natural language processing, and artificial intelligence capabilities can be misused, and should consider new multilateral export controls. When reviewing export-licensing applications, governments should give extra scrutiny to applications from companies exporting products to countries rated as Not Free or Partly Free by Freedom House. The most frequent abuses of censorship and surveillance occur in countries with these ratings. Businesses exporting technologies that could be used to commit human rights abuses should be required to report annually to the public on the impacts of their exports. Reports should include a list of countries to which they have exported such technologies, potential human rights concerns in each of those countries, a summary of pre-export due diligence undertaken to ensure their products are not misused, human rights violations that have occurred as a result of the use or potential use of their technologies, and efforts to mitigate the harm done and prevent future abuses. Further, government export guidance should urge businesses to adhere to the UN Guiding Principles on Business and Human Rights when exporting dual-use technologies to countries rated Partly Free or Not Free by Freedom House. In the United States, Congress should pass the Foreign Advanced Technology Surveillance Accountability Act, which requires the Department of State to include information on the status of surveillance and use of advanced technology in its annual report on global human rights practices. Specifically, the State Department must describe in each country report the extent of excessive surveillance and the use of advanced technology, such as facial recognition or biometric data collection, to impose (1) arbitrary or unlawful interference with privacy; or (2) unlawful or unnecessary restrictions on freedom of expression, peaceful assembly, association, or other internationally recognized human rights.

Guarantee competition, transparency, and accountability

Fully integrate human rights principles in competition policy enforcement. Strong competition in the digital market can encourage companies to create innovative products that protect fundamental freedoms and tackle online harms by empowering users to make informed choices about which products and platforms to use. When enforcing competition policy, regulators should consider the implications of market dominance on free expression, privacy, nondiscrimination, and other rights. Governments should also ensure antitrust frameworks can effectively be applied in the digital age, including by considering requirements for interoperability and data portability.

Enshrine human rights principles, transparency, and democratic oversight in laws that regulate online content. Regulations addressing online content should establish special type- and size-oriented obligations on companies, incentivize platforms to improve their own standards, and require human rights due diligence and reporting. Such requirements should prioritize broad transparency across core products and practices, including content moderation, recommendation and algorithmic systems, collection and use of data, and targeted advertising practices. Intermediaries should continue to benefit from safe-harbor protections for most user-generated and third-party content appearing on their platforms, so as not to encourage restrictions that could inhibit free expression. Laws should also protect “good Samaritan” rules and reserve decisions on the legality of content for the judiciary rather than companies or executive agencies. Internet users whose content is removed should have access to adequate systems for notice, redress, and appeal. Moreover, independent, multistakeholder bodies with sufficient resources should be empowered to oversee laws’ implementation, conduct audits, and ensure compliance.

Foster a reliable and diverse information space

Maintain access to information and support free expression online, particularly during elections, protests, and periods of conflict. Access to the internet is a human right. Intentional disruptions to internet access impact individuals’ economic, social, political, and civil rights. Governments should refrain from banning social media and messaging platforms. While such services may present genuine societal and national security concerns, bans constitute an arbitrary and disproportionate response that unduly restricts users’ cultural, social, and political speech. Governments should address any legitimate human rights or other risks posed by social media and messaging platforms through existing, democratic mechanisms—including regulatory action, security audits, parliamentary scrutiny, and legislation passed in consultation with civil society and affected stakeholders—rather than resorting to national security orders and emergency measures.

Address the digital divide. Unequal access to the internet entrenches societal inequity. In the short term, governments should work with service providers to lift data caps and waive fees for late payments; they should also support community-based initiatives to provide secure public access points and lend electronic devices to individuals who need them. Longer-term efforts should include expanding access and building internet infrastructure for underserved areas and populations, ensuring that connectivity is affordable, and enacting strong legal protections for user privacy and net neutrality. Governments should invest in digital literacy training through public education, public service advertising campaigns, and other mechanisms to target individuals from all age groups and socioeconomic backgrounds.

Protect global internet freedom

Elevate cyber diplomacy and coordination on global technology policy. Democracies should facilitate dialogue among national regulators and strengthen engagement at international standards-setting bodies. Diplomats should coordinate common approaches to countering authoritarian influence within the UN General Assembly, International Telecommunication Union (ITU), and other multilateral bodies. Multilateral decision-making should support but not replace specific internet-governance activities by nongovernmental or multistakeholder organizations. The United States should also push back against the increasing number of data localization requirements around the world. US lawmakers should pass legislation that elevates cyber policy within US foreign policy institutions, fosters greater cooperation among democratic allies, and establishes investment mechanisms for US technology in third countries, such as the Cyber Diplomacy Act (H.R.1251).

Prioritize defending and expanding internet freedom as a vital form of democracy, rights, and governance assistance. Recognizing the importance of internet freedom for the safety and efficacy of civil society around the world, governments should further resource digital security and digital activism trainings, and free software provision within existing democracy assistance programs. Governments should increase support for technologies that allow individuals in closed environments to circumvent government censorship, protect themselves against surveillance, and overcome temporary restrictions on connectivity. Such tools should be open-source, user-friendly, and locally responsive in order to ensure high levels of security and use.

For Companies

Ensure fair and transparent content moderation. To ensure content moderation policies that are respectful of users, private companies should:

• Prioritize users’ free expression and access to information, particularly for journalism; discussion of human rights; educational materials; and political, social, cultural, religious, and artistic expression.
• Clearly and completely explain in guidelines and terms of service what speech is not permissible, what aims such restrictions serve, and how the company assesses content.
• When appropriate, consider less invasive alternatives to content removal, such as labeling, fact-checking, adding context, promoting more authoritative sources, and implementing design changes that grant users more control over their information consumption.
• Ensure that content removal requests from governments comply with international human rights standards, and use all available channels to push back against problematic requests.
• Publish detailed transparency reports on content takedowns, both for those initiated by governments and for those undertaken by the companies themselves. Transparency reports should also address the use of automated and recommendation systems.
• Provide an efficient and timely avenue of appeal for users who believe that their rights were unduly restricted, including through censorship, banning, assignment of labels, or demonetization of posts.
• Refrain from relying on automated systems for flagging and removing content without opportunity for meaningful human review.
• Expand the capacity of content moderation teams by increasing their geographic and linguistic diversity, and conduct human rights due diligence assessments to ensure that implementation of moderation does not disproportionately affect marginalized communities.

Resist government orders to shut down internet connectivity or ban digital services. Service providers should use all available legal channels to challenge such requests from state agencies, whether they are official or informal. If companies cannot resist demands in full, they should ensure that any restrictions or disruptions are as limited as possible in duration, geographic scope, and type of content affected. Companies should also thoroughly document government demands internally and take steps to notify users as to why connectivity or content may be restricted, especially in countries where government actions lack transparency.

Adhere to the UN Guiding Principles on Business and Human Rights and conduct human rights impact assessments, with a commitment to do no harm. Companies should commit to respecting the rights of their users and addressing any adverse impact that their products might have on human rights. Companies should not build tools that prevent individuals from exercising their right to free expression, turn user data over to governments with poor human rights records or without judicial oversight, or provide surveillance or law enforcement equipment that is likely to be used to commit human rights violations. They should minimize the amount of data they collect, sell, and use, and clearly communicate to users what data are collected and for what purpose. International companies should not seek to operate in countries where they know they will be forced to violate international human rights principles. Where companies do operate, they should conduct periodic assessments to fully understand how their products and actions might affect rights including freedom of expression, nondiscrimination, and privacy. When a product is found to have been used for human rights violations, companies should suspend sales to the perpetrating party and develop an immediate action plan to mitigate harm and prevent further abuse. Companies should also mainstream end-to-end encryption in their products and ensure robust security protocols, including by resisting government requests to provide special decryption access.

Engage in continuous dialogue with civil society organizations to understand the implications of company policies and products. Companies should seek out local expertise on the political and cultural context in markets where they have a presence or where their products are widely used. These consultations with civil society groups should inform the companies’ approach to content moderation, managing government requests, and countering disinformation, among other activities.

For Civil Society

Conduct research on and raise awareness about censorship, surveillance, and content manipulation. Studies and surveys have shown that when users become more aware of censorship, surveillance, and disinformation, they often take actions that enhance internet freedom and protect fellow users. Civil society groups should engage in innovative initiatives that inform the public about government censorship and surveillance, as well as investigate and expose disinformation campaigns, including their origins and objectives.

Utilize strategic litigation to push back against shutdowns and censorship. Civil society groups and their allies have won victories in court that reversed network shutdowns and censorship decisions in Indonesia, India, Pakistan, Sudan, Togo, and Zimbabwe. They should participate in strategic litigation whenever possible, or provide friend-of-the-court filings that explain how certain forms or uses of digital technology undermine human rights. Civil society organizations should consider carefully whether to bring cases against governments themselves or support others seeking to do so, given that the process can be complicated and costly.

Work together with policymakers and the private sector to design and champion effective solutions. Some of the most important advances in privacy and free expression—such as the widespread adoption of end-to-end encryption and more secure communication via HTTPS browsing—derive from innovations in technical standards and product design that were advanced by advocacy groups. Multistakeholder efforts will be needed to ensure that leading democracies can offer a viable alternative to the authoritarian model of cyber sovereignty.