Juris Centre

Cybersecurity and Human Rights 

In the digital age, the intersection of cybersecurity and human rights has emerged as a critical area of concern. As society becomes increasingly reliant on digital technologies for communication, commerce, governance, and daily activities, ensuring robust cybersecurity measures is essential to protect against cyber threats such as data breaches, hacking, and cyber espionage. Yet, these cybersecurity measures frequently carry substantial consequences for human rights, notably affecting privacy, freedom of expression, and the ability to access information.  

Cybersecurity aims to safeguard digital infrastructure and personal data, but it can sometimes conflict with human rights principles. For example, state surveillance programs designed to enhance national security can infringe upon individuals’ privacy and freedom of expression. Similarly, measures like internet shutdowns and data localization requirements, while intended to secure digital environments, can restrict access to information and impede free communication. 

Definition of Cybersecurity 

Cybersecurity refers to the practices and technologies designed to protect systems, networks, and data from cyber-attacks. These attacks aim to access, alter, or destroy sensitive information, extort money, or disrupt business operations. It encompasses both technical solutions and policies to defend against these threats. 

Importance of Cybersecurity in Digital Age 

Cybersecurity is crucial in the digital age because it protects sensitive data, maintains business operations, and builds trust. As more personal and corporate data are stored online, robust cybersecurity measures are essential to prevent unauthorized access, breaches, and cyber-attacks. These attacks can disrupt operations and cause significant financial losses, especially in critical sectors like banking, healthcare, and infrastructure. Ensuring strong cybersecurity helps businesses comply with legal and regulatory requirements, avoiding penalties and ensuring they meet industry standards. On a national level, cybersecurity is vital for protecting government systems, critical infrastructure, and military operations from cyber warfare and espionage, thus safeguarding national security. It also plays a key role in economic stability by protecting financial systems, stock exchanges, and supply chains from disruptive cyber incidents. Additionally, with the rise of interconnected devices through the Internet of Things (IoT), cybersecurity is increasingly important for personal safety, as compromised devices can pose significant risks. Finally, cybersecurity is essential in preventing cybercrime, such as identity theft, fraud, and ransomware attacks, which can cause severe harm to individuals and organizations. As digital technologies continue to evolve, the importance of effective cybersecurity measures will only grow, making it a fundamental component of modern life. [1]

Cybersecurity: Concept and Challenges 

Network safety is paramount in today’s digital era, encompassing practices that protect computer systems, networks, and data from unauthorized access or harm. Confidentiality ensures sensitive information is restricted to authorized entities, while integrity maintains data accuracy and reliability by preventing unauthorized changes. Availability guarantees uninterrupted access to systems and data, crucial in preventing downtime. Authentication verifies user or system identities, while authorization grants appropriate access based on roles or permissions. Encryption converts data into a secure form, safeguarding it during transmission or storage. These measures collectively establish a strong foundation for cybersecurity in the modern technological landscape. 

Cybersecurity challenges are dynamic and varied, encompassing threats like malware, phishing, data breaches, advanced persistent threats (APTs), insider attacks, and IoT vulnerabilities. These challenges exploit system weaknesses, manipulate users, steal data, disrupt operations, and compromise network integrity, highlighting the need for comprehensive cybersecurity strategies and defences. 

Human Rights in Digital Age 

Human rights in the digital age refer to the application and protection of fundamental human rights in the context of digital technologies and the online environment. As technology continues to advance, it has created new opportunities and challenges for the protection and enjoyment of human rights. Essential elements concerning human rights in the digital era: 

  • Freedom of Expression: The internet has increased the avenues for individuals to express their opinions and acquire information. Nevertheless, restrictions on online speech and censorship continue to be significant concerns in many regions worldwide.  
  • Privacy: The collection, use, and storage of personal data by governments and private entities raise significant privacy concerns. Surveillance practices, data breaches, and the absence of personal information control pose significant challenges. The internet holds the potential to democratize information access, empowering people to seek and exchange knowledge. However, the digital disparity, censorship, and access restrictions pose barriers to universal information access.  
  • Digital Security: It’s essential to safeguard individuals’ digital security and ensure their online safety. Cyberattacks, identity theft, and online harassment can jeopardize people’s well-being and deter them from freely exercising their rights. 
  • Digital Divide: The uneven distribution of digital technologies and internet access creates a disadvantage for marginalized individuals or those with limited resources, limiting their opportunities. Bridging the digital divide is essential for ensuring equal participation and access to information. 
  • Online Human Rights Activism: The emergence of digital technologies has created fresh opportunities for human rights activism, enabling individuals and organizations to advocate for change and raise global awareness. However, activists also encounter risks such as surveillance, harassment, and censorship. [2]

Cybersecurity and Human Rights: A Complex Interconnection  

The relationship between cybersecurity and human rights is a complex and evolving area of concern. While cybersecurity aims to protect computer systems and data from cyber threats, it must be balanced with the preservation of human rights and fundamental freedoms. The following factors emphasize the interconnection between the two:  

  • Right to Privacy: Cybersecurity measures, including data collection and surveillance, have the potential to violate individuals’ privacy rights. Finding the right balance is essential to ensure that cybersecurity practices do not unduly compromise privacy rights.  
  • Freedom of Expression: Cybersecurity measures should not serve as a pretext for suppressing freedom of expression. Governments and organizations must refrain from using cybersecurity as a justification for censorship or silencing dissenting voices.  
  • Access to Information: While cybersecurity is crucial for protecting information, overly stringent security measures can restrict access, hindering individuals’ right to seek, receive, and share information. Balancing security and accessibility are necessary to avoid undue limitations on this right. 
  • Due Process and Rule of Law: In the pursuit of cybersecurity, it is essential to ensure that law enforcement and intelligence agencies operate within the bounds of the rule of law. Measures should be subject to legal oversight, and individuals’ rights to due process, fair trials, and the presumption of innocence must be upheld. 
  • Protection of Vulnerable Groups: Vulnerable individuals or groups may face unique challenges in the digital realm, such as online harassment or targeted cyberattacks. Cybersecurity measures should take into account their specific needs and safeguard them from discrimination and harm.  
  • Cybersecurity and Economic, Social, and Cultural Rights: The availability and affordability of secure digital infrastructure are critical for the realization of economic, social, and cultural rights. Sufficient cybersecurity measures should be implemented to safeguard individuals’ ability to access essential services, education, and cultural expression. 

International Legal Frameworks and Standards. 

The international legal frameworks and standards concerning cybersecurity and human rights are crucial components of global governance. These frameworks outline guidelines and principles that governments, organizations, and individuals should adhere to in the realm of cybersecurity, ensuring the protection of fundamental human rights. Key aspects of these frameworks include: 

  • Universal Declaration of Human Rights (UDHR): The UDHR, adopted by the United Nations General Assembly in 1948, sets out the fundamental rights and freedoms to which all individuals are entitled. These include the right to privacy, freedom of expression, access to information, and protection against discrimination. 
  • International Covenant on Civil and Political Rights (ICCPR): The ICCPR, along with its Optional Protocol, provides a legally binding framework for the protection of civil and political rights. It covers rights such as freedom of speech, assembly, and association, which are relevant to cybersecurity and human rights discussions. 
  • European Convention on Human Rights (ECHR): The ECHR, established by the Council of Europe, protects human rights in Europe. It includes provisions related to privacy, freedom of expression, and the right to a fair trial, which intersect with cybersecurity issues. 
  • Convention on Cybercrime (Budapest Convention): The Budapest Convention, developed by the Council of Europe, addresses cybersecurity concerns such as cybercrime, data protection, and international cooperation in investigations. It emphasizes the protection of human rights while combating cyber threats. 
  • UN Guiding Principles on Business and Human Rights: These principles outline the responsibilities of businesses in respecting human rights, including in the context of cybersecurity. They emphasize the need for businesses to conduct due diligence, prevent human rights abuses, and provide remedies for any violations that occur. 
  • Regional and National Legislation: Many regions and countries have enacted specific laws and regulations related to cybersecurity and human rights. These include data protection laws, cybercrime legislation, and policies aimed at safeguarding privacy and freedom of expression online. 
  • International Telecommunication Union (ITU) Standards: The ITU develops standards and guidelines related to cybersecurity, telecommunications, and information technology. These standards often incorporate human rights considerations, promoting a balance between security measures and respect for individual rights. 

Overall, these international legal frameworks and standards serve as foundational pillars for addressing the complex intersection of cybersecurity and human rights, guiding efforts to protect both security and fundamental freedoms in the digital age. 

Key Enactments in India: Navigating Cybersecurity and Human Rights 

India has enacted various laws and regulations pertaining to cybersecurity and human rights to address the challenges and opportunities presented by the digital age. Some key enactments in India include: 

  • Information Technology Act, 2000 (IT Act): The IT Act is the primary legislation governing cybersecurity in India. It addresses a wide range of issues, including electronic transactions, digital signatures, data protection, and cybercrimes. Sections such as 43A (compensation for failure to protect data) and 66A (pertaining to offensive online content, which was later struck down by the Supreme Court) have significant implications for cybersecurity and human rights. 
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These rules issued under the IT Act prescribe standards for the protection of sensitive personal data and information. They require organizations handling such data to implement reasonable security practices and procedures to safeguard the privacy and security of individuals’ data. 
  • The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016: The Aadhaar Act establishes a unique identification system based on biometric and demographic information. It addresses concerns related to data protection, privacy, and security in the context of Aadhaar-based services and transactions.  
  • Right to Information Act, 2005 (RTI Act): The Right to Information (RTI) Act grants citizens the authority to request information from public authorities, promoting transparency and accountability. It plays a role in ensuring access to information, which is a fundamental aspect of human rights in the digital era. 
  • Data Protection Bill: In August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023, after years of deliberations. This new law is India’s first comprehensive regulation for personal data protection across sectors. It introduces a more modest approach, reducing obligations for businesses while enhancing protections for consumers. Notably, the DPDP Act allows personal data to be processed for any lawful purpose, marking a significant change in data handling and regulation in the country. [3]

These enactments, among others, form the legal framework for addressing cybersecurity challenges and upholding human rights principles in India’s digital ecosystem. They reflect the country’s evolving approach to balancing technological advancements with the protection of individual rights and privacy. [4]

Analysing Cyberattacks’ Impact Through Case Studies 

  • Aadhaar Data Privacy Breach Scandal: 

Between 2017 and 2018, Aadhaar, India’s biometric identification system, faced significant data breaches. The breaches were highlighted by reports, including one from The Tribune, revealing the sale of Aadhaar data for a small amount. The Unique Identification Authority of India (UIDAI) initially denied these claims but later acknowledged unauthorized access. Other instances of data leaks were also reported, raising legal and ethical concerns about privacy and data protection. These breaches emphasized the need for robust cybersecurity measures and better handling of sensitive personal information in national identification systems like Aadhaar. [5]

  • Blackbaud, Inc. Data Security Breach Litigation: 

In July 2020, a company that provides customer relationship management services to non-profits and educational institutions disclosed a ransomware attack affecting over 120 organizations. The attack occurred in February 2020 but was only discovered in May during the COVID-19 pandemic. Hackers encrypted some data sets and copied a subset before being locked out. The company paid to retrieve the data, which did not include financial details but involved personal information of donors. 

By November 2020, insurance recoveries were confirmed, and in March 2023, the company settled a $3 million agreement with the SEC related to the incident. Later in October 2023, a $49.5 million settlement was reached with attorneys general from 49 U.S. states, concluding a multi-state investigation into the ransomware attack and data breach. [6]

Harmonizing Cybersecurity and Human Rights: 

A balanced approach to cybersecurity entails implementing effective measures while upholding human rights. This includes enacting clear legislation that protects digital infrastructure without compromising individual privacy and freedom of expression. Technological solutions like encryption should be used to secure data while respecting user privacy. Transparency is crucial, ensuring that data handling practices are transparent, and mechanisms for accountability are in place if breaches occur. Education campaigns are essential to inform the public about cybersecurity risks and empower them to make informed decisions. 

Collaboration between government, businesses, and civil society can enhance cybersecurity resilience and promote information sharing. Ethical considerations must be integrated into cybersecurity practices, emphasizing fairness in decision-making processes. International cooperation is also vital to address global cybersecurity challenges while maintaining human rights standards. Oversight bodies should monitor practices, assess their impact on rights, and recommend improvements through regular reviews and audits. 

Conclusion 

In conclusion, the intricate relationship between cybersecurity and human rights underscores the need for a balanced and comprehensive approach. As digital technologies continue to advance, the protection of sensitive data and digital infrastructure is paramount, but not at the expense of individual rights and freedoms. This article has delved into the complexities of this intersection, highlighting key concepts, challenges, and solutions.  

Effective cybersecurity measures must be implemented alongside robust legal frameworks and international standards that uphold human rights principles. Collaboration among stakeholders, including governments, civil society, the private sector, and technical experts, is essential to navigate these complexities successfully. Transparency, accountability, and the incorporation of human rights considerations into cybersecurity strategies are fundamental aspects of this approach. 

The case studies presented demonstrate the real-world consequences of cyberattacks on freedom of expression, privacy, and access to information. These examples underscore the urgency of adopting a balanced strategy that combines effective cybersecurity measures with human rights protection. Furthermore, the legal landscape, both at the international and national levels, plays a crucial role in shaping cybersecurity policies that respect individual liberties. 

Moving forward, continuous adaptation and improvement of cybersecurity frameworks are necessary to address emerging challenges effectively. By promoting collaboration, respecting human rights, and adhering to international standards, we can navigate the digital landscape while ensuring both security and the protection of fundamental rights in the digital age. 

[1] Cyber Security and human rights. Available at: https://www.researchgate.net/publication/321964451_Cyber_Security_and_Human_Rights (Accessed: 15 June 2024).

[2] Cyber Security and human rights. Available at: https://www.researchgate.net/publication/321964451_Cyber_Security_and_Human_Rights (Accessed: 17 June 2024).

[3]  Summary – The Digital Personal Data Protection Act, 2023. Available at: https://www.dsci.in/files/content/documents/2023/DSCI Summary-DPDP Act, 2023.pdf (Accessed: 15 June 2024).

[4] Top cybersecurity regulations in India [updated 2024]: Upguard (no date) RSS. Available at: https://www.upguard.com/blog/cybersecurity-regulations-india (Accessed: 18 June 2024).

[5] Aadhaar data leak: Personal Data of 81.5 crore Indians on sale on dark web: Report (no date) The Economic Times. Available at: https://economictimes.indiatimes.com/tech/technology/aadhar-data-leak-personal-data-of-81-5-crore-indians-on-sale-on-dark-web-report/articleshow/104856898.cms?from=md (Accessed: 16 June 2024).

[6] Paid ransom to have the hijacked data destroyed by the Cybercriminals (no date) Cyber Security Case Studies. Available at: https://www.cybersecuritycasestudies.com/library/paid-ransom-to-have-the-hijacked-data-destroyed-by-the-cybercriminals (Accessed: 19 June 2024).

Author: Akhila V

Leave a comment