Policy Recommendations

For Policymakers

Protect privacy and security

Strictly regulate the use of surveillance tools and personal-data collection by government and law enforcement agencies. Government surveillance programs should adhere to the International Principles on the Application of Human Rights to Communications Surveillance , a framework agreed upon by a broad consortium of civil society groups, industry leaders, and scholars for protecting users’ rights. The principles, which state that all communications surveillance must be legal, necessary, and proportionate, should also be applied to biometric surveillance technologies and open-source intelligence methods such as social media monitoring. In the United States, lawmakers should reform or repeal existing surveillance laws and practices to better align with these standards, including those under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, and pass the bipartisan Fourth Amendment Is Not For Sale Act, which would require government agencies to obtain a court order before purchasing data from data brokers. Policymakers in the United States should also investigate the extent to which commercial surveillance tools, such as spyware and extraction technology, have been used against Americans and ensure that appropriate safeguards are in place.

Protect encryption. Robust encryption is fundamental to cybersecurity, commerce, and the protection of human rights. Weakening encryption endangers the lives of activists, journalists, members of marginalized communities, and ordinary users around the world. Governments should refrain from mandating the introduction of “back doors,” requiring traceability of messages, or reducing intermediary liability protections for providers of end-to-end encryption services. In the United States, any reforms to Section 230 of the Communications Decency Act should not undermine the ability of intermediaries and service providers to offer robust encryption.

Strengthen data-privacy protections by promulgating stronger regulations and enacting comprehensive legislation. Democracies should collaborate to create interoperable privacy regimes that comprehensively safeguard user information, while also allowing data to flow across borders to jurisdictions with similar levels of protection. Individuals should have control over their information, including the right to access it, delete it, and easily transfer it to the providers of their choosing. Companies should be required to limit the collection of consumer data, particularly intimate information such as health, biometric, and location data, disclose in plain language how they use data they do collect, and limit how third parties can access and use this data. Updated data-privacy protections should include provisions that provide independent regulators and oversight mechanisms with the ability, resources, and expertise needed to enforce and ensure foreign and domestic companies comply with privacy, nondiscrimination, and consumer-protection laws. In the United States, the Federal Trade Commission (FTC) has initiated important action to strengthen privacy enforcement under existing authorities by issuing an Advance Notice of Proposed Rulemaking to explore whether stronger protections are needed regarding commercial surveillance and data security. In the current absence of a federal data privacy law, the FTC should issue a final rule that provides robust protections and facilitates enforcement. Comprehensive data-privacy legislation is also needed in the United States. The proposed American Data Privacy and Protection Act (ADPPA), which would institute a comprehensive framework that limits what data can be collected by companies, would be a positive step. The ADPPA would be made stronger by making it clear that states are free to pass their own, more robust privacy protection laws.

Restrict the export of censorship and surveillance technology. A booming commercial market for surveillance and censorship technologies has given governments even greater capacity to flout the rule of law, monitor private communications, and restrict access to essential resources. Democracies should place strict limits on the sale of technologies that enable monitoring, surveillance, interception, or collection of information and communications—including technologies that collect and analyze biometric information (including gait, facial measurements, voice, and DNA, among others), spyware, data-extraction technology, and general-purpose products that provide the advanced computing power, machine learning, natural-language processing, and artificial intelligence capabilities that can be used to enhance these technologies. In a first, the Costa Rican government called for a global moratorium on the use of spyware technology in 2022. The United States, Australia, Denmark, and Norway, supported by Canada, France, the Netherlands, and the United Kingdom, have recently announced the Export Controls and Human Rights Initiative, intended to “help stem the tide of authoritarian government misuse of technology and promote a positive vision for technologies anchored by democratic values.” The United States additionally updated its licensing policy to restrict the export of items if there is “a risk that the items will be used to violate or abuse human rights,” and the European Union (EU) tightened export controls for dual-use products and cybersurveillance technologies. When implementing such new policies, government officials should give extra scrutiny to the suitability of exports intended for countries rated as Not Free or Partly Free by Freedom House , where the most frequent censorship and surveillance abuses occur. Government export guidance should urge businesses to adhere to the UN Guiding Principles on Business and Human Rights . Businesses exporting surveillance and censorship technologies that could be used to commit human rights abuses should be required to report annually to the public on the impacts of their exports. Reports should include a list of countries to which they have exported such technologies, potential human rights concerns in each of those countries, a summary of preexport due diligence undertaken to ensure that their products are not misused, human rights violations that have occurred as a result of the use or potential use of their technologies, and efforts to mitigate the harm done and prevent future abuses. I n the United States, Congress should pass the Foreign Advanced Technology Surveillance Accountability Act, which requires the Department of State to include information on the status of surveillance and use of advanced technology in its annual report on global human rights practices.

Safeguard free expression, access to information, and a diverse online environment

Maintain access to internet services, digital platforms, and circumvention technology, particularly during elections, protests, and periods of conflict. Intentional disruptions to internet access and online services impact individuals’ economic, social, political, and civil rights. Governments should avoid blocking or imposing onerous regulatory requirements on circumvention tools, and imposing outright or arbitrary bans on social media and messaging platforms. While some services may present genuine societal and national security concerns, bans unduly restrict user expression. Governments should instead address any legitimate risks posed by social media and messaging platforms through existing democratic mechanisms including regulatory action, security audits, parliamentary scrutiny, and legislation passed in consultation with civil society and affected stakeholders. Any restrictions to online content should adhere to international human rights standards of legality, necessity, and proportionality, and include robust oversight, transparency, and consultation with civil society and the private sector. When sanctions are imposed, it should be made clear that internet communications services are exempt so as not to limit essential online tools for users in authoritarian countries.

Enshrine human rights principles, transparency, and democratic oversight in laws that regulate online content. Legal frameworks addressing online content should establish special type- and size-oriented obligations on companies, incentivize platforms to improve their own standards, and require human rights due diligence and reporting. Such requirements should prioritize transparency across core products and practices, including content moderation, recommendation and algorithmic systems, collection and use of data, and political and targeted advertising practices. Laws should also provide opportunities for vetted researchers to access platform data—information that can provide insights for policy development and civil society’s research and advocacy. Intermediaries should continue to benefit from safe-harbor protections for most user-generated and third-party content appearing on their platforms, so as not to encourage restrictions that could inhibit free expression. Laws should also protect “good Samaritan” rules and reserve decisions on the legality of content for the judiciary rather than companies or executive agencies. Internet users whose account or content is limited or removed should have access to systems for notice, explanation, redress, and appeal. Independent, multistakeholder bodies and independent regulators with sufficient resources and expertise should be empowered to oversee the  implementation of laws, conduct audits, and ensure compliance. Provisions within the EU’s Digital Services Act, notably its transparency provisions, data accessibility for researchers, and a coregulatory form of enforcement, offer a promising model for content-related laws.

Support online media and foster a resilient information space. Combating disinformation and propaganda begins with public access to reliable information and local, on-the-ground reporting. Democracies should scale up efforts to support independent online media in their own countries and abroad through financial assistance and innovative financing models, technical support, and professional development support. They should pair those efforts with broader civic education initiatives and digital literacy training that help people navigate complex media environments. They should also expand protections for journalists who face physical attacks, legal reprisals, and harassment for their work online, including by supporting the creation of emergency visas for those at risk. Laws should protect the free flow of information, grant journalists access to those in power, allow the public to place freedom of information requests, and guard against state monopolization of media outlets.

Fully integrate human rights principles in competition policy enforcement. Diversifying the market for online services—particularly through the creation of smaller platforms that can be tailored toward the needs of a particular community or audience—is a key step toward a more resilient information environment. Competition in the digital market can also encourage companies to create innovative products that protect fundamental rights and tackle online harms such as harassment. When enforcing competition policy, regulators should consider the implications of market dominance on free expression, privacy, nondiscrimination, and other rights. Governments should also ensure antitrust frameworks can effectively be applied in the digital age, and create legal regimes that incentivize such diversity, such as by introducing interoperability and data-portability provisions like those in the EU’s Digital Markets Act.

Address the digital divide. Unequal access to the internet contributes to economic and social inequality and undermines the benefits of a free and open internet. In the short term, governments should work with service providers to lift data caps and waive late-payment fees; they should also support community-based initiatives to provide secure public-access points and lend electronic devices to individuals who need them. Longer-term efforts should include expanding access and building internet infrastructure for underserved areas and populations, ensuring that connectivity is affordable, and enacting strong legal protections for user privacy and net neutrality.

Strengthen global internet freedom

Ensure that cyber diplomacy is both coordinated among democracies and grounded in human rights. Democracies should facilitate dialogue among national policymakers and regulators to coordinate on best practices for tech policy, and strengthen engagement at international standards­–setting bodies. Diplomats should develop common approaches to countering authoritarian influence within the UN General Assembly, International Telecommunication Union (ITU), and other multilateral bodies. Multilateral decision-making should support and complement, not replace, specific internet-governance and standards-setting activities by multistakeholder bodies like the Internet Corporation for Assigned Names and Numbers (ICANN). In the United States, there is an opportunity to institutionalize and sustain new initiatives and funding streams focused on global technology policy and internet freedom, especially those announced at the inaugural Summit for Democracy. The State Department’s new Bureau of Cyberspace and Digital Policy should make human rights a central component of its mandate, including by ensuring that staff have relevant expertise and coordinating closely with other internet-focused departments within and across agencies. These efforts should also formalize regular, ongoing engagement with civil society and the private sector.

Strengthen the Freedom Online Coalition’s capacity to protect internet freedom. As the upcoming 2023 chair, the United States should focus on strengthening the FOC’s name recognition and its ability to drive diplomatic coordination and global action. This includes by more proactively articulating the benefits of a free and open internet to governments, being more publicly and privately vocal on threats and opportunities for human rights online, mainstreaming FOC activity in other multilateral initiatives like the ITU and Group of 7 (G7), and creating more avenues to engage with civil society and the private sector, including through diversifying and expanding the coalition’s advisory network. The FOC should consider increasing internal staffing to achieve these goals, and creating an internal mechanism by which member states’ activities can be evaluated to ensure they align with FOC principles. A new funding mechanism, supported by member states, for programs and activities led by nonstate stakeholders could also advance FOC priorities. Any expansion of the coalition’s membership should be carried out in consultation with the advisory network, and new members should be selected based on their capacity to bolster the FOC’s work and contribute to greater geographic diversity within the body.

Defend and expand internet freedom programming as a vital component of democracy assistance. Democracy assistance targeting internet freedom activities should prioritize digital security and digital activism trainings, as well as provision of software that can protect or assist users. Policymakers should support programs that seek to strengthen judicial independence, enhance technical literacy among judges and others within the legal system, and provide other financial and administrative resources for strategic litigation. Governments should increase support for technologies that help individuals in closed environments circumvent government censorship, protect themselves against surveillance, and overcome restrictions on connectivity. Such tools should be open-source, user-friendly, and locally responsive in order to ensure high levels of security and use. Finally, programming should support efforts aimed at strengthening the independence and expertise of regulators, which can serve as politically neutral bodies that protect internet freedom across changes in political leadership.

Advocate for the immediate, unconditional release of those imprisoned for online expression protected under international standards. Governments should incorporate these cases, in addition to broader internet-freedom concerns, into bilateral and multilateral engagement with perpetrator countries. It should be made standard practice to raise the names of those detained for their online content, to request information or specific action related to their treatment, and to call for their release and the repeal of laws that criminalize online expression.

For Companies

Ensure fair and transparent content moderation. To ensure content-moderation policies that are respectful of users, private companies should:

• Prioritize users’ free expression and access to information, particularly for journalism; discussion of human rights; educational materials; and political, social, cultural, religious, and artistic expression.
• Clearly and completely explain in guidelines and terms of service what speech is not permissible, what aims restrictions serve, and how content is assessed for violations. An essential step is ensuring that terms of service, as well as mechanisms for reporting harmful content and appealing content decisions, are translated into all languages where the company’s products are used.
• When appropriate, consider less-invasive alternatives to content removal, such as demotion of content, labeling, fact-checking, promoting more authoritative sources, and implementing design changes that improve civic discussions.
• Publish detailed transparency reports on content takedowns, both for those initiated by governments and for those undertaken by companies. Transparency reports should also address how machine learning is used to train automated systems that classify, recommend, and prioritize content for human review.
• Provide an efficient and timely avenue of appeal for users who believe that their rights were unduly restricted, including through censorship, banning, assignment of labels, or demonetization of posts.
• Refrain from relying on automated systems for removing content without opportunity for meaningful human review.
• Expand the capacity, geographic, and linguistic diversity of content moderation teams, and ensure they are sensitive to nuances in a language that is spoken across multiple countries or regions. Conduct human rights due diligence assessments to ensure that implementation of moderation does not lead to unintended consequences, such as disproportionately affecting marginalized communities.

Resist government orders to shut down internet connectivity, ban digital services, and unduly turn over data or restrict user accounts and content. Service providers should use all available legal channels to challenge such requests from state agencies, whether they are official or informal, especially those that relate to human rights defenders, activists, civil society, journalists, or other at-risk accounts. If companies cannot resist demands in full, they should ensure that any restrictions or disruptions are as limited as possible in duration, geographic scope, and type of content affected. Companies should thoroughly document government demands internally and notify users as to why connectivity or their content may be restricted, especially in countries where government actions lack transparency. When faced with a choice between a ban of their services and complying with undue data requests and censorship orders, companies should bring strategic legal cases that challenge government overreach, in consultation or partnership with civil society.

Adhere to the UN Guiding Principles on Business and Human Rights, adopt the Global Network Initiative Principles on Freedom of Expression and Privacy, and conduct human rights impact assessments. Companies should commit to respecting the rights of their users and addressing any adverse impact that their products might have on human rights. The Global Network Initiative’s Principles provide concrete guidance on how to do so. Companies should invest in and expand programs and tools that allow users, especially human rights defenders, journalists, and those from at-risk populations, to easily protect themselves from online and offline harms, particularly during crisis events. Companies should also minimize the amount of data they collect, sell, and use, and clearly communicate to users what data are collected and for what purpose. Where companies do operate, they should conduct and publish periodic assessments to fully understand how their products and actions might affect rights including freedom of expression, nondiscrimination, and privacy.

Enshrine human rights principles in product design and development. Protecting rights online begins with responsible product design and development. Technologists and engineers should be trained on the human rights implications of the products they build and on international best practices for preventing their abuse. Companies should conduct research and consult with impacted communities to understand the ways their products can be used to perpetrate online and offline harms and respond with strong guardrails that prioritize safety . When a product is found to have been used for human rights violations, companies should suspend sales to the perpetrating party and develop an immediate action plan to mitigate harm and prevent further abuse. Companies should also support the accessibility of circumvention technology, mainstream end-to-end encryption in their products, and ensure other robust security protocols, including by resisting government requests to provide special decryption access.

Engage in continuous dialogue with civil society to understand the effects of company policies and products. Companies should seek out local expertise on the political and cultural context in markets where they have a presence or where their products are widely used, especially in repressive contexts due to unique sets of human rights challenges that require context-specific solutions. Consultations with civil society groups should inform whether companies choose to operate in a particular country, the companies’ approach to content moderation, the development of products and policies, especially during elections or crisis events, when managing government requests, and when working to counter online harms.