For decades, journalists, activists and lawyers who work on human rights issues around the world have been harassed, and even detained, by repressive and authoritarian regimes seeking to halt any assistance they provide to human rights defenders. Digital communication technology and privacy-protective tools like end-to-end encryption have made this work safer, in part by making it harder for governments to target those doing the work. But that has led to technologists building those tools being increasingly targeted for the same harassment and arrest, most commonly under overbroad cybercrime laws that cast suspicion on even the most innocent online activities.
Right now, that combination of misplaced suspicion, and arbitrary detention under cyber-security regulations, is being played out in Ecuador. Ola Bini, a Swedish security researcher, is being detained in that country under unsubstantiated accusations, based on an overbroad reading of the country’s cybercrime law. This week, we submitted comments to the Office of the U.N. High Commissioner for Human Rights (OHCHR) and the Inter-American Commission on Human Rights (IACHR) for their upcoming 2019 joint report on the situation of human rights defenders in the Americas. Our comments focus on how Ola Bini’s detainment is a flagship case of the targeting of technologists, and dangers of cyber-crime laws.
While the pattern of demonizing benign uses of technology is global, EFF has noted its rise in the Americas in particular. Our 2018 report, “Protecting Security Researchers' Rights in the Americas,” was created in part to push back against ill-defined, broadly interpreted cybercrime laws. It also promotes standards that lawmakers, judges, and most particularly the Inter-American Commission on Human Rights might use to protect the fundamental rights of security researchers, and ensure the safe and secure development of the Internet and digital technology in the Americas and across the world.
We noted that these laws fail in several ways. First, they don't meet the requirements established by the Inter-American Human Rights Standards, which bars any restriction of a right through the use of criminal law. Vague and ambiguous criminal laws are an impermissible basis to restrict the rights of a person.
These criminal provisions also fail to clarify the definition of malicious intent or mens rea, and actual damage turning general behaviors into strict liability crimes. That means they can affect the free expression of security researchers since they can be interpreted broadly by prosecutors seeking to target individuals.
For instance, Ola Bini is currently being charged under Article 232 of the Ecuadorian Criminal Code:
Any person who destroys, damages, erases, deteriorates, alters, suspends, blocks, causes malfunctions, unwanted behavior or deletes computer data, e-mails, information processing systems, telematics or telecommunications from all or parts of its governing logical components shall be liable to a term of imprisonment of three to five years, or:
Designs, develops, programs, acquires, sends, introduces, executes, sells or distributes in any way, devices or malicious computer programs or programs destined to cause the effects indicated in the first paragraph of this article, or:
Destroys or alters, without the authorization of its owner, the technological infrastructure necessary for the transmission, reception or processing of information in general.
If the offense is committed on computer goods intended for the provision of a public service or linked to public safety, the penalty shall be five to seven years' deprivation of liberty.
Bini’s case highlights two consistent problems with cybercrime laws: the statute can be interpreted in such a way that any software that could be misused creates criminal liability for its creator; indeed, potentially more liability than on those who conduct malicious acts. This allows misguided prosecutions against human rights defenders to proceed on the basis that the code created by technologists might possibly be used for malicious purposes.
Additionally, we point the OHCHR-IACHR to the chain of events associated with Ola Bini’s arrest. Bini is a free software developer, who works to improve the security and privacy of the Internet for all its users. He has contributed to several key open source projects used to maintain the infrastructure of public Internet services, including JRuby, several Ruby libraries, as well as multiple implementations of the secure and open communication protocol OTR. Ola’s team at ThoughtWorks contributed to Certbot, the EFF-managed tool that has provided strong encryption for millions of websites around the world.
His arrest and detention was full of irregularities: his warrant was for a “Russian hacker” (Bini is neither Russian nor a hacker); he was not read his rights, nor allowed to contact his lawyer, nor offered a translator. The arrest was preceded by a press conference, and framed as part of a process of defending Ecuador from retaliation by associates of Wikileaks. During the press conference, Ecuador’s Interior Minister announced that the government was about to apprehend individuals who are supposedly involved in trying to establish a “piracy center” in Ecuador, including two Russian hackers, a Wikileaks collaborator, and a person close to Julian Assange. She stated: “We are not going to allow Ecuador to become a hacking center, and we cannot allow illegal activities to take place in the country, either to harm Ecuadorian citizens or those from other countries or any government.”
Neither she nor any investigative authority has provided any evidence to back these claims.
As we wrote in our comments, prosecutions of technologists working in this space should be treated in the same way as the prosecution of journalists, lawyers, and other human rights defenders — with extreme caution, and with regard to the risk of politicization and misuse of such prosecutions. Unfortunately, Bini’s arrest is typical of the treatment of security researchers conducting human rights work.
We hope that the OHCHR and IACHR carefully consider our comments, and recognize how broad cybercrime laws, and their misuse by political actors, can directly challenge human rights defenders. Ola Bini’s case—and the other examples we’ve given—present clear evidence for why we must treat cybercrime law as connected to human rights considerations.