Cyberspace has provided a platform for the expansion of democracy. At national and local levels, e-government offers new forms of accessibility to public services. The Internet is sometimes described as a “liberation technology,” fostering democratization throughout the world. However, as our daily lives increasingly rely on the Internet and its connectivity, governments have also used cyberspace to expand their surveillance efforts, fostering important debates and concern about civil liberties in the digital era. While social media played a key role in the Arab Spring and the EuroMaidan movement, their effect cannot be separated from broader political and societal implications. Authoritarian governments, fearing the power of social media, have not hesitated in restricting or banning access to certain parts of their domestic Internets, using broad surveillance powers to curtail free speech. Cyberspace is a powerful medium for mobilizing citizens and organizing democracy, yet it can also be used by states to control and manipulate their societies and limit human freedom.
Early Internet enthusiasts championed notions of freedom and independence. They envisioned that cyberspace would liberate humans due to its decentralized nature. The Internet did not need a constitution, or a political process, it was an emancipatory space controlled by users and established to share ideas and experiments: World Wide Web users were free to express themselves and interact however they wanted. This openness, and the liberties provided by the Internet, were essential to its early success. However, as researchers Ronald Deibert and Rafal Rohozinski note, “just because a technology has been invented for one purpose does not mean that it will not find other uses unforeseen by its creators.”1
Governments have always been and remain dominant actors in cyberspace, and have used the Internet to further both democracy and national security. From this perspective, cyberspace has simply provided new ground for pre-existing processes and tensions, between democracy and security, to express themselves. At the end of the twentieth century, governments embraced the Internet to develop new instruments of governance. The Internet offered a new means to provide citizens with information about public services, political processes and choices, a practice known as e-government. Increasingly, digital devices became tools to facilitate online citizens’ participation in political processes – for example, through online voting.2 Together, these new modes of action were expected to promote greater efficiency and effectiveness, and a more citizen-centric government.3 However, as state actors expanded their digital footprint, the percentage of the population with access to computers remained relatively low, and the development of e-democracy stalled.4
At the dawn of the twenty-first century, a growing number of countries invested in national cybersecurity, re-affirming the pre-existing tension between security and democracy. This tension is particularly clear when focusing on the national level of analysis. National security can be defined as the possibility for inhabitants of a state to live in the absence of internal and external threat to the quality of their life and values. To protect our way of life, including the democratic system of government and liberal democratic values such as freedom of speech and privacy, intelligence and security agencies use special powers that threaten, and sometimes infringe upon, these values. In democracies, security agencies seek to defend an open society by secret means. Beyond strategic-level declarations, governments keep most of their cybersecurity practices secret, to protect the methods through which they wield cyberpower. Throughout the world, cyber commands, signals intelligence agencies and domestic law-enforcement agencies operate secretly to protect the comparative advantages they develop over their adversaries. Their reliance on secrecy limits governmental transparency and, by extension, democratic accountability. Without sufficient information on government cyber operations, citizens cannot assess the decisions public authorities make on their behalf. Instead, they have to rely on representatives – the head of government and select members of parliament – who have access to sensitive government information and make cyber policy decisions.
Cybersecurity policy decisions are particularly important because government security agencies benefit from surveillance powers that encroach upon individual privacy. Privacy, defined as the condition of being free from observation or disruption by other people, is an international human right guaranteed by the Universal Declaration of Human Rights of 1948 and the International Covenant on Civil and Political Rights of 1966. International law holds that individuals have the right to consent to or refuse the use of their personal data by secondary or third parties. Interference with this right must be justified by government authorities. Government officials generally invoke national security to deploy special surveillance powers. In this context, surveillance, in and beyond cyberspace, is supposed to constitute a temporary restriction to the rights of a few suspect individuals, accepted in the pursuit of the greater societal interest of national security.
The extent to which governments do indeed use cyber surveillance in exceptional circumstances is a point of debate. Domestic security services collect information in cyberspace to identify and monitor suspected criminals, spies and terrorists. They sometimes monitor political dissenters and opposition groups – subversive elements – who have the potential to turn to violent action or (in autocratic countries) threaten the legitimacy of the regime. Government security services have struggled historically to differentiate legitimate political dissenters from subversive elements that truly threaten society.5 What constitutes legitimate government surveillance is contentious and constantly evolving. Government overreach in this domain can stymie public debate and freedom of expression. Public expectations regarding surveillance can sometimes also have a “chilling effect” on society, in the sense that the simple awareness of the existence of surveillance can restrain social activism and free expression. At the extreme end of the spectrum, excessive government surveillance threatens democracy, instead of protecting it.
There are many ways privacy can be threatened online. Internet users all leave a digital footprint when they visit websites, send emails and submit information online. Some elements are left intentionally – a birth date or a picture shared on Facebook, for instance. Other data are left unintentionally by visiting websites and clicking on links. Each computer has an IP address that is used to surf on the web, which reveals the location and type of device used to access specific parts of the Internet.6 Data on Internet browsing habits can help governments, private companies and malicious actors identify individuals online. Storybox 9.1 discusses growing public concern about online privacy in the aftermath of the global surveillance disclosures of 2013.
In Spring 2013, international media revealed details of a global surveillance network set up by the US National Security Agency (NSA) and partner agencies across the world. The revelation emanated from a cache of highly classified documents stolen by then NSA contractor Edward Snowden. Snowden leaked these documents to a group of journalists who subsequently published them in newspapers such as the Guardian, the Washington Post and Der Spiegel. The Snowden leaks contained thousands of top secret documents shedding light on the surveillance efforts of the “Five Eyes” network – comprised of intelligence agencies in Australia, Canada, New Zealand, the United Kingdom and the United States – and partner countries (including Denmark, France, Germany, Israel, Italy, the Netherlands, Norway, Singapore, Spain and Switzerland).
The most widely discussed revelations focused on a series of programs with mysterious codenames, such as PRISM and XKeyscore. Through the implementation of PRISM, the NSA uses selectors – an email address, for instance – to collect stored Internet communications from major companies including Apple, Google and Skype. According to a PowerPoint presentation leaked by Edward Snowden, PRISM is the main source of raw intelligence used for NSA analytic reports.7 Another program, XKeyscore, allowed the NSA and a number of partner agencies in other countries to search and analyze global Internet data.
These revelations caused outrage around the world because they suggested that the US government and its partners were collecting Internet data in bulk. For many critics and concerned citizens around the globe, these revelations raised the specter of omnipresent government surveillance described in George Orwell’s dystopian novel Nineteen Eighty-Four, or practiced by the East German Ministry for State Security, the Stasi.8
Critics question whether government agencies should be allowed to collect data on large populations of presumably innocent people. While modern intelligence agencies do collect tremendous amounts of data, they do not actively monitor and analyze all the individuals whose data have been collected. From the perspective of the US government, PRISM and XKeyscore were originally authorized by Congress, and legal. Beyond legalities, the global surveillance disclosures raised public awareness and triggered a broad public debate on Internet surveillance.
The debate on Internet privacy expands well beyond the reach of government intelligence agencies. Both government and private-sector organizations are data hungry and seek to obtain personal information online to inform and orient their decisions.9 The amount of data they gather is particularly worrying because no organization seems to be immune to data breaches that can leave sensitive personal information in the hands of criminals.10 In response to growing concerns about online privacy, the European Union passed the General Data Protection Regulation (GDPR) to harmonize data protection across Europe. GDPR allows European users to have easier access to the data that website owners hold about them, and establishes a clear responsibility for organizations to obtain the consent of people they collect information about, among other measures.11 One hope is that creating more accountability for organizations that handle people’s personal information will force them to develop more comprehensive data protection policies and assessments.
Optimists argue that cyber technologies can help foster social change that encourages liberal democratic values. Scholar Larry Diamond defines liberation technology as “any form of information and communication technology that can expand political, social, and economic freedom,” from computers to mobile phones to the Internet and social media.12 Social media platforms like YouTube and Twitter can be used to report news, express opinions and expose wrongdoing. From this perspective, online media provide powerful tools for transparency and monitoring government activities. The practice of cyberactivism, a form of political mobilization in and through cyberspace, relies on the Internet to organize political activities such as demonstrations and street protests.13
There is no question that, in some circumstances, the Internet does empower individuals and strengthen civil society. Larry Diamond details how China’s blogosphere has provided room to open a domestic public sphere, in spite of strong government censorship.14 In one case, online indignation forced the Chinese government to investigate the death of a rural migrant, Sun Zhigang, after he was incarcerated and beaten to death by local police in the city of Guangzhou. The government eventually decided to change its national regulation and closed the detention centers that were used to hold rural migrants in custody prior to repatriation.15 In 2011, social media facilitated the Arab Spring, a series of demonstrations, protests and riots that spread from Tunisia to the rest of the Arab world. In a region where freedom of speech and freedom of press are limited, youth used the Internet to exchange political ideas, spread information and organize protests against repressive governments.16 Storybox 9.2 examines the role digital media played in the EuroMaidan movement, which has affected Ukrainian politics since 2013.
In 2013, a wave of demonstrations and protests followed the Ukrainian government’s decision to suspend the signature of an association agreement with the European Union. The movement, which began on November 21, 2013 in Maidan Nezalezhnosti (Independence Square) was nicknamed “EuroMaidan,” and supported through a number of social media accounts such as @euromaidan on Twitter and the євромайдан–euromaydan page on Facebook. With the help of digital media, fueled by growing public concern with government corruption and human rights violations, among other issues, the movement grew significantly. Protests eventually led to the 2014 Ukrainian revolution, ousting Ukrainian President Viktor Yanukovych and resulting in the overthrow of his government.
Activists, news media and political scientists have all pointed out the importance of social media in the EuroMaidan movement. Social media helped mobilize the population rapidly, sometimes leading to near-spontaneous actions. Digital tools helped protesters connect to one another – thanks, for example, to the use of hashtags.17 Following Yanukovych’s decision not to sign the EU agreement, activists promptly assembled online to criticize the administration. Social media helped activists communicate about the protest, and the broader situation in Ukraine, to domestic and international audiences. They also helped activists organize protests, sharing information about flyers and slogans, setting up a legal assistance service for victims of government repression, and field hospitals for protesters.18
The use of social media also provides a uniquely detailed source of data for researchers to study social movements and a number of other phenomena relevant to national and international politics. However, the digital world cannot provide a window into everything. Social media were an important part of the success of the EuroMaidan movement, but not the sole facilitator. Pre-existing social networks and other types of media – digital, in print, and television – interacted with social media to amplify the protest and bring about social and political change in Ukraine.19 Scholars continue to debate the extent to which digital platforms can foster durable change and sustained civic engagement. In addition to technology, a number of other variables affect political change, including political culture, leadership and the level of organization within a movement.20
The US government famously embraced the potential of the Internet as a tool for democracy promotion in its 2011 International Strategy for Cyberspace. This strategy expressed US support for fundamental freedoms and privacy in cyberspace and offered to support civil-society actors in achieving these freedoms throughout the world.21 Then-Secretary of State Hillary Clinton famously defended Internet freedom, noting that “governments should not prevent people from connecting to the Internet and websites or each other.”22 This notion builds on pre-existing civil and political rights and is often attached to online free expression and the right to access the Internet to connect to others.23 In practice, the US government has supported the development of software, including The Onion Router (Tor), that provide online protection by disguising the source and endpoint of online interactions. Tor allows individuals to surf the web without anyone knowing who and where they are. Egyptian dissidents relied on Tor to protect their identity during the Arab Spring.
However, cyberspace is not a one-dimensional domain dominated by its potential for liberation. Two-thirds of all Internet users live in countries where criticism of the government is subject to censorship.24 China and Russia, among other nations, perceive Internet freedom as a way for Western culture and values to infiltrate their societies and foment dissent. The contrast could hardly be starker between these different perspectives on what constitutes a security risk or a right.25
While the Internet may have been invented with the ideals of freedom of expression and access to information in mind, other purposes have emerged throughout its development. Pessimistic voices in the debate on cybersecurity and democracy highlight governments’ capabilities to control and filter the Internet to identify and punish dissenters. Critics point out that governments can leverage their concerns about cyber warfare to securitize cyberspace and justify extraordinary surveillance measures to the population. The same social media used to organize popular protest and widen the public sphere in the Arab world and beyond can be used by governments to identify dissenters and put them in jail.
Reductions in Internet freedom can take many forms. Filtering technologies, such as the Great Firewall of China, limit citizens’ access to specific sites and resources in cyberspace. Governments can monitor and track online activities, to support arrests and prosecutions based on behaviors or actions in cyberspace.26 The Chinese government has tried to eliminate anonymous communications and networking by requiring the registration of real names to blog or comment, and monitoring cyber cafes. However, there is simply too much information online for governments to monitor everything.
A multiplicity of national approaches to what is allowed on the Internet continues to dictate its use. Even in the most advanced liberal democracies, complete freedom of expression on the Internet does not exist. Among other limitations, liberal democracies have been keen to protect intellectual property, legislating on music rights and cracking down on illegal download platforms, such as Napster and The Pirate Bay. Citizens are also protected from online slander and hate speech in various countries. Other countries chose to more directly restrain access to Internet websites and services based on national values. In Pakistan, laws concerning blasphemy have been used to ban access to Facebook, which hosted cartoons of the Prophet Muhammad.27
In the last decade, the emergence of alternative news websites and fake news raised important questions on the impact of Internet on the public debate. Larry Diamond emphasizes “the fine line between pluralism and cacophony, between advocacy and intolerance, and between the expansion of the public sphere and its hopeless fragmentation.”28 While the Internet can help establish a public debate and support civil society, it can also divide people and foment dissent.29 Cyberspace, in turn, is what people make of it.
While a significant part of the International Relations literature on cyberspace focuses on nation states, understanding the effect of cybersecurity on individuals is equally important. Aaron Brantly argues that the main losers in the current cyber arms race are not states but the activists who are struggling to keep up with the tremendous resources of state actors and corporations that invest in cybersecurity, cyberespionage and cyber operations. As states develop more powerful cyber capabilities, they can use them not only against their adversaries but also on civilian populations.30 For instance, a company based in the United Kingdom developed a complex spyware named FinFisher. This software was sold and used by repressive regimes in Egypt, Bahrain and Uganda to spy on political opponents.31 In other cases, innovations developed for cybercrime are re-used by governments to spy on foreign agents, or even on their own citizens.32 Brantly shows that the development of new cyber capabilities is often followed by decreases in civil liberties, and argues that major democracies should invest more significantly in facilitating freedom of connection and expression online.
The recognition of the imbalance between the power of governments and companies and of civil society has fostered the emergence of public interest groups supporting Internet freedom. Organizations such as the Citizen Lab – an interdisciplinary laboratory based at the University of Toronto – the Electronic Frontier Foundation (EFF) and others actively support less capable cyber actors. The weak position of civil-society actors is reinforced by what one author calls their careless practices. In one stunning example, advocacy group Reporters Without Borders unknowingly propagated a link to a malicious website posing as a Facebook petition to release the Tibetan activist Dhondup Wangchen.33 To combat these kinds of mistakes, organizations like the Citizen Lab provide free support to human rights groups and teach them best practices in cybersecurity. Storybox 9.3 presents the findings of an investigation co-led by the Citizen Lab, and shows some of the difficulties confronted by public interest groups in this context.
In a seminal report entitled “Tracking GhostNet,” an international team of researchers led by the Citizen Lab at the University of Toronto uncovered a vast electronic spying operation infecting 1,295 computers in 103 countries. Their investigation started when researchers at the University of Toronto were asked by the office of the Dalai Lama to examine its computers for signs of malware. Their initial analysis found that the computers had indeed been infected, and the team decided to pursue their investigation through technical scouting and laboratory analysis. The researchers set up a honey-pot computer that helped them identify malicious servers and observe the tactics, techniques and procedures used by the attacker(s) to infect computers and to access and retrieve data from them.34
Their analysis opened a window into a broad cyber operation that had infiltrated hundreds of computers throughout the world, stealing troves of potentially sensitive documents, mostly in Asian countries.35 The main tool used by the hackers behind GhostNet – an open-source and widely available trojan known as gh0st RAT – allowed attackers to gain complete control of a computer.36 This malware was used to retrieve data from high-value targets located in ministries of foreign affairs, embassies, international organizations and NGOs.
Though the researchers could not directly attribute the computer network exploitation, they found that four control servers were based in China, and one in Southern California. However, they remained reluctant to pin responsibility on the Chinese government. Another state actor could have compromised proxy computers in China to achieve deniability. Non-state actors, working for profit or out of patriotism, could also have conducted the operation.37
Protecting information stored on digital devices and communicated through cyberspace has become easier in the last decade, not least thanks to the effort of organizations such as the Citizen Lab, the EFF and the Guardian Project.38 These organizations recommend a number of free tools that are available online to support digital privacy. This includes software that provide disk encryption, email encryption, secure text messages and video services, secure browsing services and virtual private networks, to name a few. These tools are particularly important for activists living in undemocratic countries, where failing to secure online activities can become the difference between freedom and incarceration.39 They can also be important in democracies, to help users protect their online activities from cyber criminals and other online threats. Most online freeware provides sufficient cyber defense against neighbors, colleagues and common cyber criminals. However, the capabilities of specialized companies and many governments are much more difficult to protect against. In those more extreme cases, effective cybersecurity might require users to adapt and limit the ways they use computers. While highly secure browsing and communication is possible, there is no perfect cybersecurity.
The debate on encryption gained prominence in the 1990s, when the administration of President Bill Clinton proposed for federal law-enforcement agencies to hold a decryption key that would facilitate wiretaps. Opponents were disturbed that this would give undue power to government officials, and the government proposal was eventually terminated.40 Advocates of strong public encryption – such as the EFF – point out that the “power of ciphers” protects citizens when they communicate, bank and shop online. For them, more cryptography is inherently beneficial. On the other side, critics – mostly government intelligence and security agencies – point out that encryption protects “foreign spies, terrorists and criminals when they pry, plot and steal.”41 For Daniel Moore and Thomas Rid, these antithetical positions are overstated and flawed. The problem is less with encryption itself than how it is used. They argue that encryption should be used as often as possible, but not all the time, especially not as it relates to cryptographically enabled services.42 They recommend encrypting personal communications and data to enable better privacy and freedom of speech. However, they condemn the use of encryption for online exchange platforms and marketplaces, specifically on the dark web – a distinct cyberspace network supporting cryptographically hidden sites and accessible through specific software like Tor. These services provide anonymous browsing and hosting of exchanges through a browser. While anonymous browsing should be welcomed, anonymous exchanges are more problematic. Research shows that encryption helps develop marketplaces that mostly benefit criminals who want to sell or buy fake passports, drugs, weapons and other illegal goods and services. For Rid and Moore, the individuals creating these websites should have to give their names to service providers. Outside of these specific circumstances, user anonymity should be protected to support free speech.43 The solution Rid and Moore provide is helpful, but it does not resolve the dilemma over encryption. Storybox 9.4 examines the case of the San Bernardino shooters in the United States and presents the dispute that ensued over the decryption of a mobile phone, between the US Federal Bureau of Investigation (FBI) and Apple.
The rise of encryption limits government agencies’ ability to access data on digital devices. Technology companies such as Apple have used encryption as a marketing tool. Developing encryption locks that are difficult, sometimes even impossible, to break is a selling point to attract customers who want to protect their digital data. Strong encryption has frustrated law-enforcement agencies, which have repeatedly asked companies such as Apple to provide them with a key to access encrypted data on their customers’ digital devices and support their investigations. But IT companies have been reluctant to do so. They are concerned that any means of bypassing encryption would create a weakness that hackers and foreign spies might be able to exploit against their customers.
The dispute between Apple and the FBI concerns the extent to which a US court can compel manufacturers to assist government in unlocking mobile phones whose data is encrypted. In 2015 and 2016, Apple received and objected to a dozen court orders seeking to compel the company to use its capabilities to extract data from iPhones to assist criminal investigations. In the most well-known case, the FBI tried to force Apple to create new software that would enable it to unlock an iPhone used by Syed Rizwan Farook, one of the shooters involved in a terrorist attack in San Bernardino, California, that killed 14 and injured 22. FBI officials said that the data in Farook’s phone might hold vital clues for their investigation. The company refused to cooperate on the grounds that it would violate its right to due process, claiming that forcing it to write new software would be a violation of free speech (writing code can be considered as a form of free speech in the United States). From Apple’s perspective, helping law enforcement to bypass the phone password protection would create unwanted vulnerabilities in its products. Privacy advocates, Apple and other technology companies were also worried that cooperating with the government would create a precedent. If Apple complied with the US government, it might then be forced to cooperate again in the future, and not only with US agencies but perhaps also with China, Russia and other less democratic countries.44
Eventually the US government withdrew its request to Apple after it reached out to an Israeli cybersecurity company that was able to unlock the device.45 Since then, Apple has developed stronger encryption on its newer devices, making it technically impossible to unlock passwords or extract data from the devices it produces. The Apple v. FBI story raises broader questions about trust in the digital era. Who should we trust our digital data with? The government? Technology companies? Or only ourselves?
The advent of cyberspace has expanded traditional debates about security and democracy in the digital world. Early Internet users were very attached to the free flow of information and conceived of cyberspace as a haven of freedom. However, the expansion of cyberspace has also been marked by the development of new security tools and threats. These tools have been used by governments to monitor populations for good and bad reasons. But they have also been available beyond government, to activists seeking to advance democracy and to criminals seeking to protect their identity.
Long-existing tensions between liberal democratic values and security practices have not disappeared in cyberspace. States are still trying to regulate this difficult area to fight the use of cybersecurity by malicious actors, and limit their own encroachments on fundamental freedoms. New information and communication technologies do not guarantee freedom or control. Why and how cyberspace is used largely depends on political and societal factors that vary across the globe. The Internet does not create fundamentally new choices between security and democracy, but provides an evolving platform for reaffirming these choices.46 In this sense, the Internet is what people make of it. Cyberspace is a cause for both optimism and pessimism, and, as such, illustrates the complexity of modern societies.
1. How far should governments be able to encroach on liberties to provide for cyber security?
2. Has cybersecurity become essential to democracy?
3. Was Apple right to resist the FBI demand to crack an iPhone linked to the San Bernardino attacks?
Ronald J. Deibert, Black Code: Surveillance, Privacy, and the Dark Side of the Internet (Toronto: McClelland & Stewart, 2013). An eponymous documentary directed by Nicholas de Pencier was released in 2016.
Timothy Edgar, Beyond Snowden: Privacy, Mass Surveillance, and the Struggle to Reform the NSA (Washington, DC: Brookings Institution, 2017).