Developing Controls on Cyber-Surveillance Exports: Civil Society’s Role in Formulating Norms for Cyber Technologies

Abstract

Defining norms — appropriate standards of behavior — for the rapidly evolving landscape of information communications technologies (ICTs) is a seemingly impossible challenge for the international community. But norms for cyber technologies may develop from the activism of civil society, the private sector and independent actors as well as from governments. This article argues that the efforts of NGOs, activists and researchers to regulate ‘cyber-surveillance tools’ are a case of a limited success in creating norms regarding cyber technologies. Cyber-surveillance tools are software products that make use of sophisticated hacking techniques to enable surveillance. Civil society groups have led a years-long campaign to regulate surveillance exports because of human rights concerns about their use by authoritarian regimes. Using a qualitative analysis of public discourse on cyber-surveillance from key civil society and public officials from 2011 – 2018, this article highlights the role of NGOs and researchers in defining the proposed norm regulating cyber-surveillance exports, framing it to key actors, and influencing governments to apply export controls to these tools. Contrasting the implementation of this norm in the U.S. and the European Union, it finds that differences in the actors who became involved — from cybersecurity researchers to human rights activists — and in which institutions had oversight over implementing export controls led to divergences in how the U.S. and the EU implemented the proposed norm. This analysis draws lessons for effective cultivation of cyber norms by civil society, showing the importance of including technical experts, defining highly targeted norms, and using existing platforms. As developments in ICTs further alter the international arena, efforts to create rules for cyberspace should consider the process by which civil society actors build, shape and advocate for norms for cyber technologies.