Policy Recommendations: Freedom on the Net 2020

Fostering a reliable and diverse information space

For Policymakers

Reject undue restrictions on access to information and free expression, especially during a pandemic. Governments should support and maintain access to the internet and refrain from banning social media and messaging platforms. While such services may present genuine societal and national security concerns, bans constitute an arbitrary and disproportionate response that unduly restricts users’ cultural, social, and political speech. Governments should address any legitimate human rights or other risks posed by such services through standard democratic mechanisms, including legislation passed in consultation with civil society experts and affected stakeholders, rather than resorting to national security orders and emergency measures.

Take action to address the digital divide. With jobs and schooling moving online as a result of COVID-19, the repercussions of unequal access to the internet are worsening. In the short term, governments should work with service providers to lift data caps and waive fees for late payments; they should also support community-based initiatives to provide secure public access points and to lend electronic devices to individuals who need them. Longer-term efforts could include expanding access and building internet infrastructure for underserved areas and populations, ensuring that connectivity is affordable regardless of income level, and enacting strong legal protections for user privacy and net neutrality.

For the Private Sector

Ensure fair and transparent content moderation. To accomplish this, private companies should do the following:           

• Prioritize users’ free expression and access to information, particularly for content that can be considered journalism, discussion of human rights, educational materials, or political, social, cultural, religious, and artistic expression.
• Clearly and concretely define in their guidelines and terms of service what speech is not permissible, what aims such restrictions serve, and how the company assesses content.
• When appropriate, consider less invasive alternatives to content removal, such as labeling, fact-checking, adding context, and design changes that grant users more control over their information digest.
• Ensure that content removal requests from governments are in compliance with international human rights standards and use all available channels to push back against problematic requests.
• Publish detailed transparency reports on content takedowns—both for those initiated by governments and for those undertaken by the companies themselves.
• Provide an efficient and timely avenue of appeal for users who believe that their rights were unduly restricted, including through censorship, banning, assignment of labels, or demonetization of posts.
• Refrain from relying on automated systems for flagging and removing content without a meaningful opportunity for human review.

Resist government orders to shut down internet connectivity or ban digital services. Service providers should use all available legal channels to push back on such requests from state agencies, whether they are official or informal. If companies cannot resist demands in full, they should ensure that any restrictions or disruptions are as limited as possible in duration, geographic scope, and the type of content affected. Companies should also thoroughly document government demands internally, and notify users as to why connectivity or content may be restricted, especially in countries where government actions lack transparency.

For Civil Society

Conduct research on and raise awareness about censorship and content manipulation. Civil society groups should engage in innovative initiatives that inform the public about government censorship, as well as investigate and expose disinformation campaigns, including their origins and objectives. Studies and surveys have shown that when users become more aware of censorship and disinformation, they often take actions that enhance internet freedom and protect fellow users.

Utilize strategic litigation to push back against shutdowns and censorship. Civil society groups and their allies have won victories in court that reversed network shutdowns and censorship decisions in Indonesia, India, Pakistan, Sudan, Togo, and Zimbabwe. They should participate in strategic litigation whenever possible, or provide friend-of-the-court filings that explain how certain forms or uses of digital technology undermine human rights. Civil society organizations should consider carefully whether to bring cases against governments themselves or support others seeking to do so, given that the process can be complicated and costly.

Build digital literacy among the public. Civil society organizations should educate netizens about how to spot disinformation and misinformation on social media, addressing topics such as altered content, so-called deepfake videos, suspicious spelling or phrasing, and inadequate citation. Organizations should also inform internet users about how to report false or suspicious content and how to flag this content for friends and family.

Protecting human rights from intrusive surveillance

For Policymakers

Ensure that new surveillance programs meet international human rights standards for necessity, proportionality, and independent oversight. New surveillance programs meant to help combat COVID-19 must first be shown to be necessary—in the view of public health experts—for containing the spread of the virus. Any program should also be narrowly tailored, minimizing what information is collected, who collects it, and how it can be used. Any sharing of data must be transparent and subject to independent review. The information collected should be firewalled from other uses and generally destroyed after the virus is brought under control, so that authorities and private companies cannot access it later for political, law enforcement, or commercial purposes. Any programs involving the use of smartphone apps should be voluntary, with no participation requirements for access to public services.

Enact robust data privacy legislation and protect encryption. In the United States, policymakers should pass a federal electronic privacy law that provides robust data protections and harmonizes rules among the 50 states. They should also resist legislative attempts to undermine encrypted services, including through the use of “back doors.” Individuals should have control over their information and the right to access it, delete it, and transfer it to the providers of their choosing. Governments should have the ability to access personal data only in limited circumstances as prescribed by law, subject to judicial authorization, and within a specific time frame. Companies should also be required to disclose in nontechnical language how they use customer data, details on third parties that have access to the data, and how third parties are allowed to use the data. Companies should also be required to notify customers in a timely fashion if their information is compromised. Given the technical measures—including cyberattacks—that both foreign and domestic actors use to access citizens’ personal information, data privacy legislation should be paired with cybersecurity requirements concerning the collection and storage of user data.

Firmly restrict new surveillance technologies that employ biometrics and artificial intelligence. Lawmakers should pass a moratorium on the use of facial- and other affect-recognition technologies in sensitive areas such as law enforcement, education, employment, health care, and housing, and future legislation governing these technologies should be informed by additional research on their potential harms to human rights. State and local governments should follow the lead of municipalities in California, Oregon, Massachusetts, and other US states that have passed moratoria or bans on the use of biometric and AI surveillance.

Improve oversight of and create alternatives to algorithmic decision-making. Governments should be explicit about how, when, where, and why they use automated systems. Procurement processes for such technology should be transparent and include human rights–based impact assessments. Government agencies should create pathways to ensure human oversight and explanation, especially when algorithmic decision-making determines access to public services like education, health care, and housing. Automated systems should be routinely audited to ensure that they comply with antidiscrimination laws and other rights-based standards. Furthermore, governments should establish mechanisms for appeal and redress in cases of discrimination by algorithm.

For the Private Sector

Design public health apps with privacy and security in mind. Software developers should build privacy and security considerations into the architecture of any new tool. From the start, clear nontechnical language should inform users about what personal information is used, how it is stored, and with whom it is shared. Users should have the opportunity to explicitly consent to the collection of data, especially when the information is not strictly necessary for the application’s core public health function. Developers should make their platforms available for third-party privacy and security audits and include opportunities for effective petition and redress for abuses. In addition, companies should avoid working with governments and private actors that perpetrate or facilitate human rights abuses.

For Civil Society

Conduct research on and raise awareness of intrusive new surveillance technologies. Civil society groups should engage in innovative initiatives that inform the public about the privacy and other human rights harms wrought by unchecked state and corporate data collection. Watchdog groups should engage in technical analysis to determine the human rights risks posed by smartphone apps, biometric surveillance, and other emerging technologies.

Utilize strategic litigation to push back against state surveillance. Civil society groups and their allies have won victories in court that limited state surveillance in Brazil, Estonia, Germany, South Africa, and the United States. They should participate in strategic litigation whenever possible, or provide friend-of-the-court filings that explain how digital surveillance can undermine human rights. Civil society organizations should consider carefully whether to bring cases against governments themselves or support others seeking to do so, given that the process can be complicated and costly.

Promoting internet freedom amid a rise in cyber sovereignty

For Policymakers

Preserve broad protections against intermediary liability. Companies should continue to benefit from safe-harbor protections for most user-generated and third-party content appearing on their platforms, in keeping with principles that have allowed for a historic blossoming of artistic expression, economic activity, and social campaigning. Policies ostensibly meant to enforce political neutrality would in practice open the door to politicized government interference and negatively impact “good Samaritan” rules that enable companies to moderate harmful content without fear of unfair legal consequences. In line with the Manila Principles, governments should work together with technical, legal, and human rights experts to establish meaningful oversight measures for technology companies, including the ability to evaluate their content moderation practices for transparency, proportionality, and the effectiveness of appeals processes.

Restrict the export of censorship and surveillance technology. Given the significant potential for abuse, trade in censorship and surveillance technologies should be restricted, particularly for end users that are known to have committed human rights violations. The United States is currently updating export control requirements for emerging technologies, foundational technologies, and items used in crime control and detection. Any final rule issued by the US government should ensure that technologies enabling monitoring, surveillance, and the interception or collection of information and communications—including systems that use machine learning, natural language processing, and deep learning—are included on the Commerce Control List and cannot be sold to countries rated Partly Free or Not Free by any Freedom House publication.

Bolster cyber diplomacy in defense of an open, free, and global internet. Diplomats should make greater efforts to push back against data localization requirements around the world, particularly in repressive countries where the human rights implications for local users are stark. In the United States, the proposed Cyber Diplomacy Act (H.R.739) would establish an Office of International Cyberspace Policy within the State Department, headed by an ambassador for cyberspace, to lead cyber diplomacy efforts. The office would be tasked with implementing a US international cyber policy that advances democratic principles and promotes an open, interoperable, and secure internet governed by a multistakeholder model. The legislation requires the inclusion of internet freedom in annual State Department country assessments and the formulation of a strategy for engaging foreign governments to develop international norms of responsible state behavior on cyber issues.

Lead by example. Freedom House research consistently shows that governments learn from one another, copying restrictive policies and actions from foreign states to implement at home. This includes less free governments that cite the actions of democracies to justify their own repressive policies. Democratic leaders should demonstrate respect for internet freedom principles by adhering to domestic legislation in line with international human rights laws and standards, and by refraining from rhetoric that undermines these standards.

For the Private Sector

Adhere to the UN Guiding Principles on Business and Human Rights and conduct human rights impact assessments for new markets, with a commitment to do no harm. Companies should commit to respecting the rights of their users and addressing any adverse impact that their products might have on human rights. Companies should not build tools that prevent individuals from exercising their right to free expression, turn user data over to governments with poor human rights records, or provide surveillance or law enforcement equipment that is likely to be used to commit human rights violations. International companies should not seek to operate in countries where they know they will be forced to violate international human rights principles. Where companies do operate, they should conduct periodic assessments to fully understand how their products and actions might affect rights like freedom of expression or privacy. When a product is found to have been used for human rights violations, companies should suspend sales to the perpetrating party and develop an immediate action plan to mitigate harm and prevent further abuse.

Engage in continuous dialogue with civil society organizations to understand the implications of company policies and products. Companies should seek out local expertise on the political and cultural context in markets where they have a presence or where their products are widely used. These consultations with civil society groups should inform the companies’ approach to content moderation, managing government requests, and countering disinformation, among other activities.

For Civil Society

Work together with policymakers and the private sector to design and champion effective solutions. Some of the most important advances in privacy and free expression—such as the widespread adoption of end-to-end encryption or HTTPS browsing—derive from innovations in technical standards and product design that were effectively pushed by advocacy groups. Multistakeholder efforts will be needed to ensure that leading democracies can offer a viable alternative to the authoritarian model of cyber sovereignty.