By Renata Avila, Senior Advisor on Digital Rights
Companies and governments are rushing to connect the next billions. And there is no shortage of tech solutions being proposed to improve the lives of the poor across the Global South using the web. From biometric readers to determine the age of refugees, to electronic cards to track and improve the habits of those receiving conditional cash transfers, there is a tendency to experiment with new technologies on marginalised or vulnerable communities, supposedly for their own good.
But what kind of web are the newly connected finding when they come online? A glance at recent reports of privacy and data breaches across the Global South shows that it may be a web where the citizens of these countries do not enjoy as safe an online environment as their Western counterparts.
In some cases, this may be because some governments who are overwhelmed with other challenges do not yet see online security as a policy priority. Often there is simply no relevant legislation in place to protect citizens, or such laws have significant gaps or are hopelessly outdated. But in other cases, authoritarian regimes deliberately undermine privacy and data protection in order to spy on and control their citizens, as evidenced by the Hacking Team revelations. Just this week, even US President Trump signed an executive order scrapping the application of privacy protections to users who are not US citizens or permanent residents.
Compounding this problem, all too often NGOs, businesses and governments who are operating in these countries are guilty of only applying national levels of protection instead of ensuring international human rights and technical standards offer users the highest levels of digital protection. This creates an unequal world where the digital rights of those from the wealthiest countries are protected by bilateral treaties and national laws and institutions, while the same does not apply in the Global South. In many developing countries, companies have little pressure to rein in sloppy security practices, and in some cases are grasping a tempting short-term opportunity to extract as much data as possible without the costs of complying with stringent privacy and data protection laws.
Just such an example was reported in the fall of 2016: an unprotected database containing personal customer data of thousands of off-grid electricity customers from a “social startup” operating in Guatemala and South Africa was accessible for months. The users were completely unaware of it; they had limited access to electricity and many of them were illiterate. All the documents and fingerprints they used to enrol in the startup’s services were available for abuse, potentially enabling others to create fake identities with original copies of their documents and personal data. This is not an isolated incident – the number of data breaches nearly doubled last year. Many in the Global South are particularly vulnerable, unable to control how their personal data is used, or not yet aware of the risks of technology.
Incidents like these result from short-term thinking. NGOs, governments and businesses that rely on digital services must begin to think long-term, particularly about the impact of these breaches on citizen and consumer trust. If people don’t trust their technology to provide a reasonable level of privacy, they are less likely to embrace digital services for basic activities like communicating with friends and family, organising politically, managing their finances, and accessing public services. What’s more, businesses and NGOs operating in countries with political risk have an additional ethical imperative to ensure their platforms are not used to conduct human rights violations and/or construct an authoritarian state.
So how can companies and NGOs operate responsibly and ethically in this challenging environment?
For the time being, users are being advised to use short-term solutions – from covering their device cameras to using Tor or VPNs to hide their online activities. But these are not sustainable solutions for restoring trust. What we need is a global standard of privacy and data protection norms that companies and NGOs will come to see as integral to conducting their activities ethically, responsibly and minimising their own exposure and risk.
Today is Privacy and Data Protection Day, the perfect opportunity for companies and NGOs to take proactive steps and pledge to grant the highest standards of digital protection to all users and consumers regardless of jurisdiction. Certainly aid agencies and governments should not condition the provision of humanitarian assistance on invasive data collection practices.
The web has made our world increasingly borderless, and digital security should be borderless too, not just a privilege of those who can afford it or who are fortunate enough to live in jurisdictions with strong safeguards. For starters, we might look to the Council of Europe Privacy Convention, an international instrument protecting personal data that non-EU countries can adopt. We must work with civil society, unions, consumer associations, policy makers, political parties and government officers to develop and refine best practices, to ensure all web users, regardless of where they are, enjoy equal privacy and data protection standards worldwide.
Renata Avila is an advisor at the World Wide Web Foundation and a Guatemalan human rights and intellectual property lawyer. As part of her longstanding advocacy work in the field of internet and human rights, she led the Web We Want campaign to uphold human rights in the digital age in more than 75 countries. She sits on the Board of Creative Commons, is a trustee of the Courage Foundation and is an advisory board member of Diem25. She is currently writing a book about Digital Colonialism.