Responsible Business Conduct in Cyberspace
30 April 2015
At the Global Conference on CyberSpace held in the Hague in April, I spoke about human rights in the context of development and sales of surveillance technology and software – a fascinating topic that deserves increased attention.
What kind of business are we talking about? And what human rights are at stake?
Surveillance and reconnaissance technologies invoke images of Hollywood spy movies. This is a world of deep packet inspection (DPI), spyware, keyloggers, Trojan horses and password sniffing- tools invented to observe, capture and explore the behaviour and identities of people and organisations on computer networks. Sellers of such technologies often justify their use by saying they are intended to support law enforcement or protect the public welfare (e.g. through protecting against terrorist activity), but they often can also be used to facilitate human rights violations by the purchasers.
For example, recently a criminal complaint was brought against a French company, Amesys, which provided the former Libyan government with surveillance technology and support in using this technology. It is alleged this technology was used by the government to monitor opposition activists who were subsequently arrested, detained and tortured. The case is currently pending an outcome.
While all surveillance technologies impact the right to privacy, this example demonstrates that human rights are at stake, and the rights include freedom of expression, freedom of association and freedom from torture.
Selling spyware is a tricky business
It can be difficult to reach a definitive assessment of whether a surveillance product is good or bad in terms of its human rights impact because, as noted, often products can be developed to protect human rights and then applied to do just the opposite. Furthermore, the rapid evolution of technology makes it difficult to regulate these types of products and services. For example, sophisticated export control regimes exist for goods and service that are ‘dual use’, e.g. products that can be used both for military and civilian purposes. However because of the fast pace of technological development, such control regimes often end up ‘regulating the past’, as advancing technology makes current regulation irrelevant.
Marietje Schaake, member of the European Parliament, correctly stated during our panel at the conference that there is a legal vacuum in this area. Despite the challenges, governments have a duty to protect human rights and therefore should establish and enforce regulation to ensure that they are conforming to this duty. The European Commission and some EU member states are exploring what could be done in this regard by conducting a review of EU export control policy and seeking areas of clarification.
In addition to regulation, international instruments on business and human rights have a role to play. For example corporations have the responsibility to respect human rights under both the UN Guiding Principles for Human Rights and Business (UNGPs) and the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (‘the OECD Guidelines’). These instruments do not provide a silver bullet solution to resolve the issue - soft law is non-binding and thus has its limitations.
At the same time non-binding instruments are not without impact or consequence. The UNGPs restate state obligation to protect human rights, from which it cannot abdicate itself, and companies have the obligation to comply with laws, which is also not an optional alternative for companies. Furthermore, although the OECD Guidelines are non-binding for companies, they have a built-in grievance mechanism providing them with some bite. Governments of 46 the states adhering to the Guidelines made a binding commitment to implement the National Contact Point (NCP) mechanism, the grievance platform of the Guidelines. NCPs are mandated to provide good offices to consider cases of alleged non-observance of the OECD Guidelines.
NCPs in Action: Human rights issues in the ICT sector
A case recently brought to the NCP mechanism is a good illustration of the application of the OECD Guidelines to these issues. The case was brought by a consortium of NGOs led by Privacy International (PI), consisting of the European Centre for Constitutional and Human rights (ECCHR), Reporters Without Borders, Bahrain Centre for Human Rights, and Bahrain Watch. In February 2013 this group submitted a complaint to the UK NCP alleging that Gamma International had supplied a spyware product – Finfisher – to agencies of the Bahrain government which had used it to target pro-democracy activists.
When cases are brought to the NCP mechanism the first course of action is an offer of mediation to try to solve the problem. In instances where mediation fails NCPs do their own examination and make recommendations to the company. Sometimes they may reach a determination of whether the business’ behaviour was in line with the OECD Guidelines. In the Gamma case the mediation effort failed. The NCP then went on to conclude that Gamma had not acted consistently with provisions of the OECD Guidelines requiring enterprises to do appropriate due diligence, to have a policy commitment to respect human rights and to remediate human rights impacts, as outlined in paragraph 68 and 69. Furthermore the company’s approach had not met the OECD Guidelines standards to respect human rights and the engagement of the company with the NCP process was unsatisfactory, particularly in view of the serious nature of the issues.
The NCP recommended that Gamma International and the Gamma Group:
- Take note of international evidence and UK Government advice in shaping its due diligence processes;
- Participate in industry best practice schemes and discussions;
- Reconsider its communications strategy to offer the most transparent and consistent engagement appropriate to its sector;
- Where it is identified that its products may have been misused, cooperate with official remedy processes used by victims of the misuse.
Consequences with bite
Even if non-binding, the NCP’s conclusion and recommendations have important impacts. First of all such a determination may cause significant reputational damage to the company. Secondly, some governments base some of their decisions in part on NCP statements such as this one, e.g. in the context of public procurement decisions or in providing support to international operations. For example, export credit agencies of OECD member countries must take into account the final statements of NCPs when they make decisions on export credit guarantees. Additionally, some countries have taken NCP decisions and processes into account with regard to their commercial diplomacy.
Beyond government related commercial consequences, increasingly financial institutions are conducting human rights due diligence to assess the risks the investment or loan could face. This is to avoid being considered directly linked to such impacts and well as to avoid commercial risks associated with such operations. Likewise institutional investors have increasingly started to apply pressure in situations where human rights issues are identified and in some cases have been known to pull their investment where adverse impacts are not adequately addressed. For example in 2010, investors withdrew from mining company Vedanta following an upheld NCP complaint. All this can increase the cost of capital.
Resources for human rights due diligence in the ICT sector
In the case of Gamma one of the NCP’s recommendations was that the company engage in human rights due diligence. The Chair’s Statement of the Global Conference on Cyber Space also highlighted the importance of due diligence. But what does human rights due diligence actually mean for the ICT sector, particularly for companies that sell surveillance and reconnaissance technology?
Due diligence is a part of a broader range of actions corporations should undertake to respect human rights. For example, under this expectation companies should have a policy commitment on respecting human rights, assessing human rights risks, providing remediation when adverse impacts are caused or contributed to and promoting transparency throughout their supply chains. The essence of due diligence is the process of identifying, preventing and mitigating actual and potential adverse impacts human rights impacts, and accounting for how these impacts are addressed. If there is a risk of severe human rights impacts a heightened form of due diligence is recommended. For example, significant caution should be taken with regard to the sale and distribution of surveillance technology when the buyer is a government with a poor track record of human rights.
The European Commission has developed a guide on implementing the UNGPs in the ICT sector which provides useful guidance to companies on this issue. The guide provides that “[i]n all cases, companies should not sell, or facilitate the sale or integration of, product, services or technologies to governments or other end users if they know, or have reason to know, that they are likely to be used in abusing human rights.’’ In addition it articulates the steps that can be taken to identify and address misuse of their product. This includes pre-sale due diligence, including a ‘know your customer approach’, to determine the end user of the product and including respect for human rights in the contracts. Finally, as part of ongoing or post-sales due diligence, leverage could be used during the delivery of the products or services. The regular updating of software could for example provide an opportunity to use influence in order to respect human rights.
TechUK, an industry association of ICT companies in the UK, in partnership with the UK government has also published a guide on assessing cyber security export risks. This publication is a valuable resource for industry on how to design and implement appropriate due diligence processes.
Additionally the Electronic Frontier Foundation has developed a guide on How Corporations Can Avoid Assisting Repressive Regimes and the Global Network Initiative has developed principles on Freedom of Expression and Privacy. Both documents are valuable guides on implementing the ’know your customer’ principle in the context of ICT business operations.
To conclude, governments have a duty to protect against human rights violations in relation to surveillance and reconnaissance technology, and efforts must be made to close the current regulatory gap in this regard. In addition companies have to fulfil their responsibility to respect human rights. Businesses engaged in surveillance, blocking, or network disruption, need to go beyond consulting sanctions lists and the export control lists to developing and implementing human rights due diligence processes, as recommended by the OECD Guidelines. Furthermore, enhanced human rights due diligence is necessary when selling products to governments with a poor track record in human rights. Responsible business conduct in the ICT sector contributes to protecting the bottom line as well as human rights worldwide.