Just Access speech at “Protecting Human Rights on the Internet: The Role of Government, Business and Civil Society”. Co-organised by Maat for Peace, Development and Human Rights and Just Access on the sidelines of the Human Rights Council 47th session, 13 July 2021.

Thank you very much for this opportunity! My remarks will focus on HRC Resolution 38/7, the previous resolution adopted in July 2018 concerning the promotion, protection and enjoyment of human rights on the internet, in order to identify flaws that can now be corrected. The adoption of this Resolution has a long pre-history, and we must credit Brazil and other Geneva missions that took a leading role in drafting and negotiations. It is a vital and laudable achievement. It integrates multiple key concerns, including the protection of rights to privacy and freedom of opinion and expression, the rights of particularly vulnerable groups such as children, women, and journalists, and the role of Internet-related business enterprises in protecting and promoting human rights. Three areas of possible improvement concern the particular vulnerability of human rights victims and defenders, quasi- and parastatal business enterprises, and State responsibility.

In November 2018, a few months after Resolution 38/7 was adopted, the High Commissioner for Human Rights observed that “the Internet is increasingly a space of threat for human rights defenders.”¹ HRC’s session 47, now drawing to a close, has considered the report of the Human Rights Council Advisory Committee on the possible impacts, opportunities and challenges of new and emerging digital technologies on human rights, which also explicitly addressed legal principles and technical specifics that impact human rights defenders.² In addition, the Advisory Committee’s report noted that while victims of human rights violations perpetrated by States can be empowered by digital technologies, they are especially vulnerable to the offending State’s surveillance and digital interference (para 54). By contrast, HRC Resolution 38/7 does not address the unique threats to these groups.

Let me give two examples, of a victim and of a human rights defender, why it should.

Qatar has been holding Sheikh Talal, a grandson of Qatar’s founder, in arbitrary detention for over 8 years, without access to a lawyer of his choosing, to an independent physician, or his family. His wife and four children escaped to Germany in 2018. Their lawyers submitted urgent appeals to the Working Group on Arbitrary Detention and the Special Rapporteur on torture which, joined by the special rapporteur on the right to health, issued a Joint Letter of Allegations on 19 October 2020 (QAT 2/2020). Qatar refused to answer these Special Mandate Holders’ question about Sheikh Talal’s whereabouts and condition – but the same day Qatar received the Joint Letter of Allegations, Mrs. Arian’s computer was hacked, and the hackers found the confidential address where she lived with her children under German police and State protection. This has led to tremendous anxiety and need for psychological help for both her and the children; and the case is now with the German Public Prosecutor.

Mr. Malcolm Bidali is a Kenyan citizen who worked in Qatar. He reported anonymously on migrant workers’ treatment until a phishing attack in April 2021 uncovered his identity and location, as well. He was arrested in early May. Amnesty International attributed the phishing attack with high probability to the Qatari security forces.³ Mr. Bidali was arrested arbitrarily, again denied access to a lawyer of his choosing, and held in incommunicado and solitary confinement. Global outcry followed. Mr. Bidali was allegedly released, but cannot leave the country.

Resolution 38/7 is to be applauded for recognising and discussing the particular vulnerabilities of children, women and journalists with regard to the Internet. Yet the High Commissioner’s speech and the Advisory Committee’s report add victims and human rights defenders to the list.

As these two cases show, the Internet is an asymmetrically resourced sphere where not technology, but only human rights law can create equality of arms. As, for instance, several Regular Opinions adopted by the Working Group on Arbitrary Detention show, States routinely hack messaging apps with end-to-end encryption. It is not possible to organise a demonstration or file a UN complaint securely. Journalists, children, women and, let me suggest, victims and human rights defenders will always be at a disadvantage in the digital age until their specific vulnerabilities are recognised and pertaining legal doctrines, norms and practices evolve concerning State responsibility and, may I add, international criminal law including the immunity of state officials.

I started by acknowledging the long pre-history and complex negotiations and drafting process that led to the HRC Resolution. While adding the two vulnerable groups I mentioned should have been obvious, we can’t ask an HRC Resolution to reform international criminal law. Yet the Resolution is sensibly clear in affirming human rights in terms that emphasise State obligations, for instance to prevent and suppress terrorist uses of information and communication technology. The Resolution also singles out encrypted and anonymous digital communications as essential to the rights of privacy, freedom of expression, peaceful assembly and association. State hacking of encrypted communications, as we find in the case of Mrs. Arian and Mr. Bidali, could be specifically addressed by minor changes in language with considerable legal consequences.

Another inoffensive way to give Internet-dependent human rights more teeth is to not only emphasise the positive roles businesses can play, but also note that States use quasi- and parastatal businesses with terrific scale and regularity to perpetrate some of the worst human rights abuses, from crippling rivals’ basic infrastructure, including hospital IT systems and water supplies, to complicity in oppressing protests.⁴ Myanmar’s Tatmadaw regime has shut down the internet and systematically interfered with protesters’ communications. Telenor, one of the biggest carriers in Myanmar, sold its operations, while as far as I know, Ooredoo continues to operate in Myanmar and thereby enable the regime to violate the protesters’ fundamental rights. More emphasis on business-related human rights violations would be a useful addition to the toolkit embodied in the HRC Resolution, and at least it would set human rights perimeters to examinations of State responsibility via transnational and parastatal corporations.The recommendations in section IV.B of “Ending Internet Shutdowns”, the new report by the Special Rapporteur on the rights to freedom of assembly, show considerable progress in this regard.⁵

Thank you very much for enduring my long comment, which boils down to this: victims and human rights defenders have particular digital vulnerabilities; and given States’ conduct, business-focused remedies must be a relatively uncontroversial, necessary, and very far from sufficient addition to the tools outlined in the HRC Resolution concerning this vital topic.