security

• TAIWAN: ‘China will do to us what it did to Hong Kong, and what it has long done to Tibetans and Uighurs’

  CIVICUS speaks about the situation in Taiwan withMin-Hsuan Wu, known as ttcat,a social movement activist and campaigner and co-founder and CEO of a Doublethink Lab.

  Founded in 2019, Doublethink Lab is a civil society organisation (CSO) focused on researching malign Chinese influence operations and disinformation campaigns and their impacts, bridging the gap between the democracy movement, tech communities and China experts, and facilitating a global civil society network to strengthen democratic resilience against digital authoritarianism.

  What is the story behind Doublethink Lab?

  Doublethink Lab was founded three years ago, in September 2019. Four years ago, we experienced a tremendous amount of disinformation influencing our 2018 local elections. After these elections, there were lots of signals and leads of information-related, mostly disinformation campaigns – all affiliated with or supported by China.

  We realised that to tackle the challenge of strengthening and safeguarding our democracy we needed people to combine their talents and diverse professional backgrounds into a project focused on digital defence.

  Our main mandate is to produce a better understanding of how Chinese external propaganda functions and effectively influences political processes and public opinion elsewhere, including in Taiwan.

  Our strategy to combat disinformation differs from the usual fact-checking initiatives. Our work isn’t published in fact-checking reports. Instead, we follow the disinformation to try to understand who is spreading it and whether it is being spread by our citizens dynamically or by other kinds of actors funded by the Chinese state. Often, when analysing social media posts, it is possible to see the huge structure made up of Chinese bots liking, sharing and retweeting disinformation.

  What is the likely outcome of rising Chinese aggression toward Taiwan?

  It’s not news that tensions between Taiwan and China are increasing. China is increasingly using ‘grey zone’ tactics to push boundaries, increasing pressure and influencing people. Through various means, China is threatening Taiwanese people. This clearly increases the chance of the whole situation leading to China invading Taiwan.

  Most military experts would agree that this won’t happen right now, with Xi Jinping having just secured his third term as chairman of the Chinese Communist Party and awaiting confirmation of a third term as president of China. Some say an invasion could occur in 2025 or 2027, but I think it will depend on how strongly the Taiwanese people can defend themselves from now on: if our resistance increases, the costs of an invasion for China increase accordingly. Our resistance might therefore postpone the crystallisation of China’s wishes for a bit longer.

  On the other hand, China’s tactics may be backfiring: as China escalates militarily against us, the Chinese narrative is becoming less and less popular in Taiwan. More and more people have realised China is not a good neighbour. It is no longer thought of as a business opportunity for us but as a potent threat to our ways of life, our livelihoods and our lives. China’s aggressive attitude is pushing Taiwanese people towards embracing defence tactics to protect our country, which is a positive thing for us. We are much more aware of the need to build strong national and civil defence now.

  Did the recent visit by US House Speaker Nancy Pelosi make any difference, for better or worse?

  Pelosi’s visit didn’t complicate the situation, but whether we see it as helpful or not depends on the perspective we look at it from. Her visit in August 2022 was meant as a show of support to Taiwan, and happened despite China’s threats of retaliation. It was the first visit by a US House Speaker in a quarter of a century. From a democracy or human rights perspective, it was quite beneficial. Pelosi spoke up against China’s human rights violations and the challenges posed by totalitarian regimes. Her presence brought visibility to our country’s situation regarding China. It put a spotlight on it, and now people see how China treats us and what a destabilising factor it is for the region. It clearly bothered China, judging by the way it reacted to it on the international stage.

  From a geopolitical and military perspective, Pelosi’s visit didn’t produce any benefit. It didn’t – couldn’t – bring any kind of peaceful dialogue. China’s vision and military exercises won’t change. But Pelosi’s visit didn’t complicate the situation; it just brought it under the spotlight so more Western media are paying attention to Taiwan. This kind of attention is somehow opening up many windows of opportunity for Taiwan to collaborate with other countries and agencies. No one knows what will come out of this, but from what I’ve seen so far, increased opportunities of international collaboration may improve our chances of safety.

  What would it take to bring peace and stability to the region?

  That’s a huge question. For me, the ultimate solution would be the opening up of civic space and the democratisation of China, Russia and other totalitarian regimes in Southeast Asia. However, we know this is too big a hope and it’s not really up to us.

  There used to be a civil society in China, but under Xi’s rule civic space has been continuously shrinking for 10 years. More and more activists are getting arrested. We all saw what happened recently in Hong Kong: China cracked down hard on civic movements and arrested people for even having a podcast –regular citizens were sent to jail just in case. China shut down all forms of civic expression, including news agencies. China will do to Taiwan what it did to Hong Kong, and what it has long done to Tibetans and Uighurs within China.

  If you ask me, I would say peace would require the demise of the Chinese Communist Party, but people think I am crazy when I put it this way. But from our perspective, this is the only forever solution. If you have an aggressive, expansionist neighbour trying to invade you, attaining peace is quite hard because it is not up to you. There can’t be peace unless your neighbour changes.

  Without justice there won’t be any peace. I’m not sure which kind of peace people wish to see: I think they are wrong if they define peace as just the absence of war. It that’s what they want, they can move to Hong Kong. Hong Kong is peaceful now – there are no mobilisations, no protests, no disorder. But is this really peace? It’s just an illusion: people are quiet because they lost their rights and freedoms. This is not the kind of peace we want for Taiwan.

  We need to find a way to open up civic space and bring democracy to the region – that is the only way forward.

  How is Taiwanese civil society working to make this happen?

  Lots of Taiwanese CSOs are working to limit China’s influence in the region, especially in Taiwan. There is an organisation called Economic Democracy Union that conducts serious research about Chinese influence on our economy; their work show how Chinese collaborators pretend to be Taiwanese companies and penetrate very sensitive industries such as electronics or e-commerce – industries that capture lots of personal data. Economy Democracy Union brings these issues to the surface with the aim of promoting new regulations to protect us from these influence-seeking tactics.

  There are also many CSOs working to strengthen civic defence, which isn’t just war-related, but rather focused on preparedness for disaster or any kind of military operation; their goal is to teach citizens how to react in these cases.

  Right now, Doublethink Lab is doing an investigation on China’s information operations. We do election monitoring and try to disclose disinformation campaigns or far-fetched narratives flooding into Taiwanese media. We are building a global network to bridge the gap between academia and civil society on a global scale. We want people to know what Chinese influence looks like in different countries, the channels it travels through, its tactics and its final goals.

  Doublethink Lab isn’t the only organisation advocating for digital defence. There are several others focusing on Chinese media influence, disinformation campaigns, fact-checking processes and civic education to identify fake news, among other related issues.

  What support does Taiwanese civil society need from the international community?

  We need resources. Most Taiwanese CSOs are small grassroots organisations. People tend to view Taiwan as a rich country with a very prosperous economy, but the truth is that civil society movements struggle a lot. Human rights CSOs and those working to counter Chinese influence usually have fewer resources than a regular charity. CSOs need more resources to be able to recruit new talent.

  Right now is the perfect time to ask ourselves what we really need. I always ask my fellow activists what they need, and answers resemble a lot those of activists in Hong Kong or Ukraine. Something the international community can also help with is by exposing Taiwan’s struggle. We don’t want people to think our issues are disconnected from those of the rest of the world – we want to become closer and we want to be understood. We need more connections with CSOs in the rest of the world. We need all forms of help to prepare and get ready for what’s coming.

  ---

  Civic space in Taiwan is rated ‘open’ by theCIVICUS Monitor.

  Get in touch with Doublethink Lab through itswebsite and follow @doublethinklab and@TTCATz on Twitter.

• THAILAND: ‘Spyware was used to monitor protesters’ online activity’

  CIVICUS speaks about the use of surveillance technology against civil society activists in Thailand with Sutawan Chanprasert, founder and executive director of DigitalReach, a civil society organisation (CSO) that promotes digital rights, human rights and democracy in Southeast Asia.

  What is DigitalReach working on?

  DigitalReach is a digital rights organisation working in southeast Asia. We are looking at the impact of technology on human rights and democracy in the region. We initiated this project with a focus on the use of Pegasus spyware in Thailand and reached out to The Citizen Lab and iLaw for collaboration. This is because iLaw is a well-known organisation based in Thailand with a great connection with local activists, and The Citizen Lab is well-known for its expertise in spyware investigation.

  What were the main findings of this research?

  Pegasus spyware, which is produced by NSO group and sold only to state agencies, can infect devices (both iOS and Android) through a technology called ‘zero click’, which means that it needs no action on the part of the targeted user. Once the spyware is installed, it can gain access to everything on the device, including photos and text messages, and can turn the camera and microphone on and off.

  In Thailand, this spyware has been used against at least 35 iPhone users: 24 activists, three CSO workers, three academics and five opposition politicians. These infections happened between October 2020 and November 2021, which was peak time for the democracy movement.

  There were three reasons why the spyware was used against dissidents: to monitor protesters’ online activity, to monitor the protests and to find out more about the movement’s funding. On the basis of forensic evidence, The Citizen Lab confirmed that zero-click technology was used, exploiting vulnerabilities in the system to gain access to the devices.

  This was likely not the first time spyware was used against activists in Thailand, but we have no evidence to confirm this suspicion. Other digital surveillance tools have also been used: as detailed in our report, GPS devices were found attached to some dissidents’ vehicles during democracy mobilisations.

  How did the government react to your findings?

  On 22 July the Prime Minister said in parliament that he does not know anything about this spyware, and he added that such spyware would be unnecessary as we all knew what was going on from social media. The Deputy Minister of Defence also declared in parliament that it is not the government’s policy to use spyware against people or ‘generally’ violate their rights. Meanwhile, the Minister of Digital Economy and Society stated in parliament that spyware technology had been purchased but not by a department or agency under his authority. However, he referred to it generically as ‘spyware technology’, without ever confirming that he was referring to Pegasus.

  Is there anything CSOs and activists can do to counter spyware?

  Spyware is considered a dual-use item, which means it can also be useful in criminal investigations. However, we all know this is not always the case. In Thailand and many other countries, spyware has been used against dissidents and members of the opposition, which means that the technology needs to be strictly regulated so it’s not abused. However, it’s hard to see that happening under the current administration, as the government itself is the likely perpetrator. Only policymakers who care about human rights will be able to make progress on this.

  As for individual activists, there is no total solution to prevent a device from being infected by this kind of spyware. However, exposure to this threat can be reduced in several ways, such as by using two-factor authentication, using a security key or an authenticator app rather than an SMS, using a messaging platform with the disappearing message feature and by enrolling in Google’s Advanced Protection Program.

  What can the international community do to support Thai activists facing surveillance?

  This is a tricky question. Thailand doesn’t currently have an active local digital rights organisation, so working on this would be a good first step to increase digital security protection. The global community that works on digital security can play an important role. However, training activities offered in Thailand must be conducted in the local language and customised to fit the Thai context.

  There’s also a need for digital security work in Thailand that goes beyond training, including monitoring to watch for emerging digital threats against dissidents, more research and work with local activists and organisations to ensure their long-term digital safety with a sustainable approach. Funding is also needed because local activists and organisations must buy tools to support their digital security.

  Civic space in Thailand is rated ‘repressed’ by theCIVICUS Monitor.
  Follow DigitalReach via itswebsite and follow@DigitalReachSEA on Twitter.

• UN CYBERCRIME TREATY: ‘Civil society is fact-checking the arguments made by states’

  CIVICUS speaks with Ian Tennant about the importance of safeguarding human rights in the ongoing process to draft a United Nations (UN) Cybercrime Treaty.

  Ian isthe Chair of theAlliance of NGOs on Crime Prevention and Criminal Justice, a broad network of civil society organisations (CSOs) advancing the crime prevention and criminal justice agenda through engagement with relevant UN programmes and processes. He’s the Head of the Vienna Multilateral Representation and Resilience Fund at theGlobal Initiative Against Transnational Organized Crime, a global CSO headquartered in Geneva, focused on research, analysis and engagement on all forms of organised crime and illicit markets. Both organisations participate as observers in negotiations for the UN Cybercrime Treaty.

  Why is there need for a UN treaty dealing with cybercrime?

  There is no consensus on the need for a UN treaty dealing with cybercrime. The consensus-based bodies dealing with cybercrime at the UN, primarily the UN Commission on Crime Prevention and Criminal Justice (CCPCJ), could not agree on whether there was a need for the treaty since the issue was first raised officially at the UN Crime Congress in 2010, and in 2019 it was taken to a vote at the UN General Assembly. The resolution starting the process towards a treaty was passed with minority support, due to a high number of abstentions. Nevertheless, the process is now progressing and member states on all sides of the debate are participating.

  The polarisation of positions on the need for the treaty has translated into a polarisation of views of how broad the treaty should be – with those countries that were in favour of the treaty calling for a broad range of cyber-enabled crimes to be included, and those that were against the treaty calling for a narrowly focussed treaty on cyber-dependent crimes.

  What should be done to ensure the treaty isn’t used by repressive regimes to crack down on dissent?

  Balancing effective measures against cybercrime and human rights guarantees is the fundamental issue that needs to be resolved by this treaty negotiation process, and at the moment it is unclear how this will be accomplished. The most effective way to ensure the treaty is not used to crack down on dissent and other legitimate activities is to ensure a treaty focused on a clear set of cyber-dependent crimes with adequate and clear human rights safeguards present throughout the treaty.

  In the absence of a digital rights treaty, this treaty has to provide those guarantees and safeguards. If a broad cooperation regime without adequate safeguards is established, there is a real risk that the treaty could be used by some states as a tool of oppression and suppression of activism, journalism and other civil society activities that are vital in any effective crime response and prevention strategy.

  How much space is there for civil society to contribute to the negotiations process?

  The negotiations for the treaty have been opened for CSOs to contribute to the process through an approach that does not allow states to veto individual CSOs. There is space for CSOs to bring in their contributions under each agenda item, and through intersessional meetings where they can present and lead discussions with member states. This process is in some ways a model that other UN negotiations could follow as a best practice.

  CSOs, as well as the private sector, are bringing vital perspectives to the table on the potential impacts of proposals made in the treaty negotiations, on practical issues, on data protection and on human rights. Fundamentally, CSOs are providing fact-checking and evidence to back up or challenge the arguments made by member states as proposals are made and potential compromises are discussed.

  What progress has been made so far, and what have been the main obstacles in the negotiations?

  On paper, the Ad Hoc Committee has only two meetings left until the treaty is supposed to be adopted – one meeting will take place in August and the other in early 2024. The Committee has already held five meetings, during which the full range of issues and draft provisions to be included in the treaty have been discussed. The next stage will be for a draft treaty to be produced by the Chair, and then for that draft to be debated and negotiated in the next two meetings.

  The main obstacle has been the existence of quite fundamental differences in visions for the treaty – from a broad treaty allowing for criminalisation of and cooperation on a diverse range of offences to a narrow treaty focussed on cyber-dependent crimes. Those different objectives mean that the Committee has so far lacked a common vision, which is what negotiations need to discover in the coming months.

  What are the chances that the final version of the treaty will meet international human rights standards while fulfilling its purpose?

  It is up to the negotiators from all sides, and how far they are willing to move in order to achieve agreement, whether the treaty will have a meaningful impact on cybercrime while also staying true to international human rights standards and the general human rights ethos of the UN. This is the optimal outcome, but given the current political atmosphere and challenges, it will be hard to achieve.

  There is a chance the treaty could be adopted without adequate safeguards, and that consequently only a small number of countries ratify it, thereby diminishing its usefulness, but also directing the rights risks to only those countries who sign up. There is also a chance the treaty could have very high human rights standards, but again not many countries ratify it – limiting its usefulness for cooperation but neutering its human rights risks.

  ---

  Get in touch with the Alliance of NGOs on Crime Prevention and Criminal Justice through itswebsite and follow@GI_TOC and@IanTennant9 on Twitter. 

• UN CYBERCRIME TREATY: ‘This is not about protecting states but about protecting people’

  CIVICUS speaks withStéphane Duguin aboutthe weaponisation of technology and progress being madetowards a United Nations (UN) Cybercrime Treaty.

  Stéphaneis an expert onthe use of disruptive technologies such as cyberattacks, disinformation campaigns and online terrorism and theChief Executive Officer of the CyberPeace Institute,a civil society organisation (CSO) founded in 2019 to help humanitarian CSOs and vulnerable communitieslimit the harm of cyberattacks andpromote responsible behaviour in cyberspace. It conducts research and advocacy and provides legal and policy expertise in diplomatic negotiations, including theUN Ad Hoc Committee elaborating the Cybercrime Convention.

  Why is there need for a new UN treaty dealing with cybercrime?

  Several legal instruments dealing with cybercrime already exist, including the 2001 Council of Europe Budapest Convention on Cybercrime, the first international treaty aimed at addressing cybercrimes and harmonising legislations to enhance cooperation in the area of cybersecurity, ratified by 68 states around the world as of April 2023. This was followed by regional tools such as the 2014 African Union Convention on Cyber Security and Personal Data Protection, among others.

  But the problem behind these instruments is that they aren’t enforced properly. The Budapest Convention has not even been ratified by most states, although it is open to all. And even when they’ve been signed and ratified, these instruments aren’t operationalised. This means that data is not accessible across borders, international cooperation is complicated to achieve and requests for extradition are not followed up on.

  There is urgent need to reshape cross-border cooperation to prevent and counter crimes, especially from a practical point of view. States with more experience fighting cybercrimes could help less resourced ones by providing technical assistance and helping build capacity.

  This is why the fact that the UN is currently negotiating a major global Cybercrime Convention is so important. In 2019, to coordinate the efforts of member states, CSOs, including CyberPeace Institute, academic institutions and other stakeholders, the UN General Assembly established the Ad Hoc Committee to elaborate a ‘Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purpose’ – a Cybercrime Convention in short. This will be the first international legally binding framework for cyberspace.

  The aims of the new treaty are to reduce the likelihood of attacks, and when these happen, to limit the harm and ensure victims have access to justice and redress. This is not about protecting states but about protecting people.

  What were the initial steps in negotiating the treaty?

  The first step was to take stock of what already existed and, most importantly, what was missing in the existing instruments in order to understand what needed to be done. It was also important to measure the efficacy of existing tools and determine whether they weren’t working due to their design or because they weren’t being properly implemented. Measuring the human harm of cybercrime was also key to define a baseline for the problem we’re trying to address with the new treaty.

  Another step, which interestingly has not been part of the discussion, would be an agreement among all state parties to stop engaging in cybercrimes themselves. It’s strange, to say the least, to be sitting at the table discussing definitions of cyber-enabled and cyber-dependent crimes with states that are conducting or facilitating cyberattacks. Spyware and targeted surveillance, for instance, are being mostly financed and deployed by states, which are also financing the private sector by buying these technologies with taxpayers’ money.

  What are the main challenges?

  The main challenge has been to define the scope of the new treaty, that is, the list of offences to be criminalised. Crimes committed with the use of information and communication technologies (ICTs) generally belong to two distinct categories: cyber-dependent crimes and cyber-enabled crimes. States generally agree that the treaty should include cyber-dependent crimes: offences that can only be committed using computers and ICTs, such as illegally accessing computers, performing denial-of-service attacks and creating and spreading malware. If these crimes weren’t part of the treaty, there wouldn’t be a treaty to speak of.

  The inclusion of cyber-enabled crimes, however, is more controversial. These are offences that are carried out online but could be committed without ICTs, such as banking fraud and data theft. There’s no internationally agreed definition of cyber-enabled crimes. Some states consider offences related to online content, such as disinformation, incitement to extremism and terrorism, as cyber-enabled crimes. These are speech-based offences, the criminalisation of which can lead to the criminalisation of online speech or expression, with negative impacts on human rights and fundamental freedoms.

  Many states that are likely to be future signatories to the treaty use this kind of language to strike down dissent. However, there is general support for the inclusion of limited exceptions on cyber-enabled crimes, such as online child sexual exploitation and abuse, and computer-related fraud.

  There is no way we can reach a wide definition of cyber-enabled crimes unless it’s accompanied with very strict human rights safeguards. In the absence of safeguards, the treaty should encompass a limited scope of crimes. But there’s no agreement on a definition of safeguards and how to put them in place, particularly when it comes to personal data protection.

  For victims as well as perpetrators, there’s absolutely no difference between cyber-enabled and cyber-dependent crimes. If you are a victim, you are a victim of both. A lot of criminal groups – and state actors – are using the same tools, infrastructure and processes to perform both types of attacks.

  Even though there’s a need to include more cyber-enabled crimes, the way it’s being done is wrong, as there are no safeguards or clear definitions. Most states that are pushing for this have abundantly demonstrated that they don’t respect or protect human rights, and some – including China, Egypt, India, Iran, Russia and Syria – have even proposed to delete all references to international human rights obligations.

  Another challenge is the lack of agreement on how international cooperation mechanisms should follow up to guarantee the practical implementation of the treaty. The ways in which states are going to cooperate and the types of activities they will perform together to combat these crimes remain unclear.

  To prevent misuse of the treaty by repressive regimes we should focus both on the scope of criminalisation and the conditions for international cooperation. For instance, provisions on extradition should include the principle of dual criminality, which means an act should not be extraditable unless it constitutes a crime in both the countries making and receiving the request. This is crucial to prevent its use by authoritarian states to persecute dissent and commit other human rights violations.

  What is civil society bringing to the negotiations?

  The drafting of the treaty should be a collective effort aimed at preventing and decreasing the amount of cyberattacks. As independent bodies, CSOs are contributing to it by providing knowledge on the human rights impacts and potential threats and advocating for guarantees for fundamental rights.

  For example, the CyberPeace Institute has been analysing disruptive cyberattacks against healthcare institutions amid COVID-19 for two years. We found at least 500 cyberattacks leading to the theft of data of more than 20 million patients. And this is just the tip of the iceberg.

  The CyberPeace Institute also submits recommendations to the Committee based on a victim-centric approach, involving preventive measures, evidence-led accountability for perpetrators, access to justice and redress for victims and prevention of re-victimisation.

  We also advocate for a human-rights-by-design approach, which would ensure full respect for human rights and fundamental freedoms through robust protections and safeguards. The language of the Convention should refer to specific human rights frameworks such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. It is important that the fight against cybercrime should not pit national security against human rights.

  This framing is especially significant because governments have long exploited anti-cybercrime measures to expand state control, broaden surveillance powers, restrict or criminalise freedoms of expression and assembly and target human rights defenders, journalists and political opposition in the name of national security or fighting terrorism.

  In sum, the goal of civil society is to demonstrate the human impact of cybercrimes and make sure states take this into consideration when negotiating the framework and the regulations – which must be created to protect citizens. We bring in the voices of victims, the most vulnerable ones, whose daily cybersecurity is not properly protected by the current international framework. And, as far as the CyberPeace Institute is concerned, we advocate for the inclusion of a limited scope of cybercrimes with clear and narrow definitions to prevent the criminalisation of behaviours that constitute the exercise of fundamental freedoms and human rights.

  At what point in the treaty process are we now?

  A consolidated negotiating document was the basis for the second reading done in the fourth and fifth sessions held in January and April 2023. The next step is to release a zero draft in late June, which will be negotiated in the sixth session that will take place in New York between August and September 2023.

  The process normally culminates with a consolidation by states, which is going to be difficult since there’s a lot of divergence and a tight deadline: the treaty should be taken to a vote at the 78^th UN General Assembly session in September 2024.

  There’s a bloc of states looking for a treaty with the widest possible scope, and another bloc leaning towards a convention with a very limited scope and strong safeguards. But even within this bloc there is still disagreement when it comes to data protection, the approach to security and the ethics of specific technologies such as artificial intelligence.

  What are the chances that the final version of the treaty will meet international human rights standards while fulfilling its purpose?

  Considering how the process has been going so far, I’m not very optimistic, especially on the issue of upholding human rights standards, because of the crucial lack of definition of human rights safeguards. We shouldn’t forget negotiations are happening in a context of tense geopolitical confrontation. The CyberPeace Institute has been tracing the attacks deployed since the start of Russia’s full-scale invasion of Ukraine. We’ve witnessed over 1,500 campaigns of attacks with close to 100 actors involved, many of them states, and impacts on more than 45 countries. This geopolitical reality further complicates the negotiations.

  By looking at the text that’s on the table right now, it is falling short of its potential to improve the lives of victims in cyberspace. This is why the CyberPeace Institute remains committed to the drafting process – to inform and sensitise the discussions toward a more positive outcome.

  ---

   

  Get in touch with the CyberPeace Institute through itswebsite or itsFacebook page, and follow@CyberpeaceInst and@DuguinStephane on Twitter.