Cybersecurity Justice: the Ethics of Exclusion

With the growth of the Internet-of-Things and large parts of the world becoming increasingly dependent on mobile internet applications for access to basic financial and governmental services, the security of a wider and wider array of devices and systems is becoming necessary to ensure stakeholders’ basic interests. Until recently, the ethics of cybersecurity has been focused on issues of privacy, fiduciary responsibility, and individual liability (Christen et al., 2019; Guiora, 2017; Manjikian, 2017). At the same time, the broader political role that cybersecurity needs to play in a world where internet access is essential for accessing basic services and where there are large-scale inequalities in the nature, reliability, and fluency in internet access and use has been comparatively ignored. There is an urgent need—as cybersecurity claims amongst agents with vastly different social status and political power proliferate—to consider security claims within the context of distributive and procedural justice (Hess and Ostrom, 2007).

Issues of cybersecurity justice arise both domestically and globally, especially given the key role that technology leaders in Europe and the United States play in establishing best cybersecurity practices around the globe and in profiting from both sales of hardware and software to lower-income nations. Domestically, access to the internet is increasingly essential in order to avail oneself of core governmental services (UN Human Rights Council, 2016). In the limit case, even the ability to vote requires secure internet access, but even in more moderate cases, applying for social welfare services as well as access to medical insurance is simplified by, made cheaper through, or even requires the use of the internet. Those without internet access may need to spend hours in line, pay additional fees, wait longer for appointments, fail to receive essential translation services, or simply be blocked from using the services altogether. Secure and reliable access thus becomes essential to one’s status as a citizen able to access one’s own entitlements. Thus, smoother and cheaper operations of government services for the many are often purchased at the cost of additional obstacles being imposed upon the weakest claimants (Dimaggio et al., 2004; Hoffman and Novak, 1998; Jaeger, 2011; Lian and Yen, 2014; Loges and Jung, 2001; Willis and Tranter, 2006). It is important to explore the extent to which different cybersecurity norms or practices could mitigate these inequitable consequences.

Globally, many of those subject to digital inequality—including and especially those who have been historically unbanked—have increasingly come to rely on mobile phones and social media applications for basic internet functionality (Gong et al., 2007). Cybersecurity justice would acknowledge that mobile, local, and social internet functionality based on smartphones can play a large role in helping those in developing nations to achieve higher levels of welfare and development. Various smartphone apps have become increasingly important for financial security (Davis, 2020; Garun, 2017; Rapacz, 2018), but also for access to secure drinking water (Cheng, 2018), and employment (Hannon, 2017). Mobile banking has played an especially large role in providing financial services to those in lower income nations (Bankole et al., 2011; Donner and Tellez, 2008; Medhi et al., 2009; Must and Ludewig, 2010; Shaikh and Karjaluoto, 2015; Van der Boor et al., 2014; Wambari, 2009). In these environments, smartphone apps are being used to replace or supplement basic institutional functionality but the security of these apps as well as the privacy of the users is not a key priority for the European and North American cybersecurity actors (Burnett and Feamster, 2015; Byers, 2015; Narayanan and Zevenbergen, 2015; Pearce and Rice, 2013; Rice and Katz, 2003; Srinuan et al., 2012). This gives rise to concerns about power and exploitation. This is similar to cases of exploitation in global pharmaceutical research. In those cases, companies from the Global North offered a level of treatment higher than expected in the developing country and yet lower than expected in a developed nation in order to save money on drug trials (Benatar, 2002; Emanuel et al., 2004; Petryna, 2005). Here, technology companies are offering a genuine benefit but at the cost of lower levels of security or privacy than expected in their home nations. Developing a set of norms for cybersecurity agents that will give greater priority to the least powerful, impoverished classes of the planet that can benefit from new mobile phone and internet-of-things functionality could be a key plank of cybersecurity justice.

The workshop will result in a report compiled by the organisers summarising contributions from participants across the week. The report will set forward a clear agenda to cover key areas for research and development to 2030. The report will also propose working groups, to be led by workshop participants, covering each of the key areas proposed in the research agenda. This proposal will encompass ideal members of each working group, a timeline for each group, and key areas of funding for each group to pursue. Together, the research agenda and working groups will develop work that will sensitize academics, technical developers, policy makers and users of cybersecurity technology of tensions between their models and societal reality, with directions towards mitigation and solutions of these tensions.