A Feminist Conversation on Cybersecurity

Since the late 1960s, as the development of telecommunications and microprocessors with a greater capacity to produce, store, transmit and process data expanded, the challenges and areas of social concern also grew. Three decades later, it was believed that technology would allow everybody to participate in the global economy leading to development. However, transnational feminist activist networks questioned this core assumption of the neoliberal agenda. They began to advocate gender mainstreaming in global communications policy to address structural inequalities shaping women's participation in the Information Society.

The first challenge was to create space for policy discussions where communication and technology issues have historically been seen as purely technical and of interest only to policymakers, businesses and industry. On the other hand, civil society and non-profit actors were not even considered in the debates. Feminists, however, proposed a different approach: they criticised patriarchal society and neoliberal globalisation, the concentration of media ownership and the commodification of communication, the unequal access to telecommunications infrastructure, and the international division of labour and employment in the media, telecommunications and information technologies sectors. They highlighted barriers to access to relevant information and its effective use, gender-based violence at every stage of ICT development, and structural barriers to women's participation in technical careers and knowledge production. And they also fought for a place in decision-making structures designing global communication policies.

Most of these challenges remain relevant today and have further extended to new fields, such as cybersecurity, developed under the influence of national security debates with a strong military tradition. In the mainstream understanding of the cybersecurity debates, States are responsible for "restoring control over the misuse of cyber technologies through a more coordinated and focused effort from the national and international society." Many problematic notions come into play in this approach. If we do not focus on analysing the conditions of production of cyber technologies, we might think that cybersecurity challenges are simply a matter of "misuse" that can be "corrected" later with some adjustments and agreements between "interested parties".

To contribute to this debate, APC developed the Framework for developing a gender-responsive cybersecurity policy to provide policy-making actors with a set of tools to mainstream gender in cybersecurity policies. This approach forces us to examine the foundations of cybersecurity policies. Principles, as central as the idea of safety, are not universal. On the contrary, they are "constantly sustained and elaborated by local socio-cultural practices that characterise who and what is considered "safe" or "unsafe". 

In this edition of GenderIT, we want to focus on the human dimension of cybersecurity. To do this, we asked ourselves how cybersecurity policies developed from the centres of political, economic and epistemological power affect those at the margins; and how we can think about cybersecurity from a feminist perspective. We set out to find specific and contextualised examples of how cybersecurity directly affects the lives of different women, LGBTQIA+ people and diverse social groups around the world.

Cybersecurity Policy: A Feminist Issue

The transnational feminist activist networks advancing the gender and communication agenda began to organise during United Nations' International Women's Decade (1975 - 1985) to ensure that international instruments would recognise women's communications rights. For instance, they claimed that freedom of expression in the void did not necessarily reach women. On the contrary, as Margaret Gallagher (2011) explains, it is a fact that its exercise "is severely limited by layers of structural, economic and cultural constraints" that can only begin to be overcome by challenging the male dominance of the media (and BigTech companies). In a society with the patriarchy embedded, gender becomes "central to the analysis of power structures".

The Beijing Declaration and Platform for Action, which resulted from the Fourth World Conference on Women held in Beijing, China, in 1995, is considered by many to be a milestone for gender mainstreaming in international instruments[1]. While the intersection between gender and cybersecurity was too new to be addressed in the Programme of Action, some references acknowledge that "those most negatively affected by conflict and excessive military spending are those living in poverty" (para. 128) and that an "active and visible policy of gender mainstreaming" should be promoted in addressing armed conflict (para. 141). It also underlined the "potential for the media to make a far greater contribution to the advancement of women" (para. 141) and encouraged "the use of communication systems, including new technologies, as a means of strengthening women's participation in democratic processes."

Undeniably, gender and intersectionally blind policies have unequal effects on populations because they do not consider structural inequalities and the needs of those not at the centre. A policy without gender and intersectional perspectives is bound to have unexpected consequences that will likely affect the less privileged.

Perhaps the rights demanded in this document seem somewhat limited. Still, they were not, as the context was at the height of the expansion of the neoliberal project with the International Monetary Fund and the World Bank, and various UN organisations such as the World Trade Organisation or the International Telecommunications Union underpinning it. Moreover, it took place barely 20 years after the first World Conference on Women, held in Mexico City in 1975, where no consensus was reached to sign a joint document due to confrontations between feminists from the North and women from the Third World. 

In this sense, the advances in the articulation of civil society in the discussions and agreements reached in Beijing were remarkable. For the first time, an international declaration recognised that the benefits of the information society were not reaching everyone equally: Women did not have the time, money, access or knowledge to participate in it, let alone the conditions to shape it according to their wishes and needs.

The Beijing Declaration also established that all United Nations agencies should adopt a gender perspective, assess the gendered impacts of their programmes and take measures to prevent or mitigate them.[2] However, the adoption of the gender mainstreaming framework was also criticised by feminist activists and scholars such as Sonia Alvarez, Mary Kaldor, Silvia Federici, María Mies, Eva Charkiewicz and Anita Gurummurthy, who argued that it was a strategy to co-opt feminists in order to depoliticise a radical movement with subversive potential by integrating it into the logic of international organisations.

It is true that the feminist movement, as in many other sectors, navigates between contradictions and ambiguities in advocacy strategies that coexist in a fragile balance between ethics and negotiation (Tarres, 1993). It is also a fact that bureaucratisation restricts radical feminist politics to specific, ordered and unchallenging issues of the development agenda; on the other hand, it is a means of dialogue with the institutions where decisions that can have a massive impact are made. In this way, the feminist slogan "Nothing about us without us" is somehow put into practice. Undeniably, gender and intersectionally blind policies have unequal effects on populations because they do not consider structural inequalities and the needs of those not at the centre. A policy without gender and intersectional perspectives is bound to have unexpected consequences that will likely affect the less privileged. From this perspective, a human-centred approach to cybersecurity must go beyond simply including people on the margins. According to APC, this means "to make cybersecurity responsive to the complex, differentiated and intersectional needs of people based on gender, sexual orientation, race, religion, ethnicity, ability, class and political affiliation, among other factors." Beyond mainstreaming gender into policy, let's look at other areas of action where feminist activists and scholars have had a profound impact on how cybersecurity is approached.

Holistic Security: A Feminist Practice

As just discussed, the feminist movement has a history of challenging governments and institutions to respond to inequality and violence. Most importantly, however, feminists have also engaged in 'underground politics' (Staggenborg and Tailor, 2005): A set of mutual support practices involving knowledge production, the development of tools and methodologies to address gender-based violence, and the mobilisation of resources to accompany those left unattended by institutions.

Between 2000 and 2010, the internet became an essential tool for activists to explore their identities, maintain relationships, create imaginaries, document collective memories and mobilise more cheaply and quickly than ever before. However, as most internet users became dependent on commercial and centralised platforms, they began facing specific online threats.

The growth of a business model focused on the commodification of personal data exposed many women and LGBTQIA+ people to significant levels and new forms of violence enabled and facilitated by digital technologies. Human rights defenders increasingly face hate speech, harassment, hashtag invasion and trolling, doxing, distribution of intimate images without consent, monitoring and surveillance, unauthorised access to social media profiles and emails, identity theft and other attacks.

Many digital rights organisations focus on providing specific digital security training for human rights defenders. However, these initiatives are still too often one-size-fits-all, tool-centric, and dominated by Northern white experts parachuted into other countries. At the same time, feminist organisations and women's funds around the world are reflecting deeply on the specific threats faced by women and LGBTQIA+ activists around the world and how they cope with the health problems (physical and mental) caused by the exhaustion of dealing with this violence. Jane Barry and Jelena Djordjevic's groundbreaking 2007 research for the Urgent Action Fund, "What's the Point of Revolution if We Can't Dance?", explores these specifics and highlights that "sustainability is about being able to do the work we love and still feel full and happy in every part of our lives. It's about feeling safe, feeling connected, feeling recognised, respected and valued - for who we are as much as for what we do." A few years later, in collaboration with Artemisa, Elige and CREA, Marina Bernal published the "Self-Care and Self-Defense Manual for Feminist Activists" to support feminists in developing their own self-defence strategies.

Researching and reflecting on the specific online and offline threats faced by women human rights defenders challenge the hegemonic masculinity of digital security, which is still largely dominated by a militaristic view of security that tends to completely ignore its gendered and intersectional aspects. Meanwhile, the Mesoamerican Initiative of Women Human Rights Defenders (IM-Defensoras) proposes a feminist holistic approach to protection, which they define as "a political and strategic framework in permanent collective construction that offers an inclusive vision that allows us to place the care of our bodies, our organisations and our struggles at the centre of political activism so that it remains viable in the face of constant violence and repression."

In 2016, the Holistic Security Strategy Manual for Human Rights Defenders completed the inclusion of a feminist critical approach within the security and protection methodological framework for planning digital security training for HRDs. This framework suggests the need to stop treating the different aspects of HRDs' security needs (digital, physical, psychosocial) as if they existed in isolation from each other. It stresses that the "lack of adequate awareness of the emotional and psychosocial aspects of security often blinds us to potential threats, such as the effects of long-term stress on our health. Furthermore, fostering mental and physical well-being benefits our ability to understand our security situation and take critical decisions."

Researching and reflecting on the specific online and offline threats faced by women human rights defenders challenge the hegemonic masculinity of digital security, which is still largely dominated by a militaristic view of security that tends to completely ignore its gendered and intersectional aspects.

Therefore, we can consider that feminist holistic protection builds and promotes "a broad and inclusive digital security outlook that focuses not only on securing information and communication channels, or on providing strategies and tools for confronting digital emergencies and online gender-based violence, but also on bringing together socio-political, psychosocial, collective and individual spheres in order to introduce measures and norms for collective support in digital environments."

This collective dimension of safety and protection is an essential aspect of feminist initiatives to build networks of support and solidarity to assist people facing hate speech and gender-based violence online where other key actors have failed to provide answers. Neither social media companies nor law enforcement or other government agencies have been able to identify, address, respond to and overcome this type of violence. In contrast to the responses offered by mainstream cybersecurity, which offer universal, purely technical solutions that criminalise and blame the expression of women and LGBTQIA+ people, feminist digital self-defence proposes, first and foremost, not to blame or re-victimise those who experience violence and to develop strategies that allow us to confront this violence collectively.

All of this knowledge about feminist digital self-defence strategies has been put into practice in initiatives that provide more systematic and sustained support to others. Feminist helplines, most of which are self-managed and have few resources, are critical actors in addressing gender-based violence online. These initiatives have begun to recognise each other and have come together in 2020 as a global community of feminist helplines to build a collaborative network for sharing and learning. They have also set up their own secure digital infrastructure to look after their constituents' data.

The feminist movement has by far been at the forefront of responding to gender-based violence online, placing the notion of care at the heart of cybersecurity strategies from a holistic perspective. The situated knowledge that feminists produce from the margins of the hegemonic system is central to the lives of women and LGTBQIA+ people. In advocating human-centred cybersecurity policies, policymakers should acknowledge and learn from feminists' understanding of the impact of violence and their holistic approach to addressing it.

Feminist Contributions to Cybersecurity

There is broad consensus on the fact that different social groups are in different positions when dealing with cybersecurity threats. Some populations are more vulnerable than others, which is referred to as "differential vulnerabilities", a term developed by Pierce et al. (2018), which "recognises that different populations and individuals have different types and degrees of digital security vulnerabilities and may be subject to varying attacks."

Gender-blind cybersecurity policies will not protect everyone equally and may even affect historically criminalised groups, such as sex workers. That is the case for the Fight Online Sex Trafficking Act (FOSTA) and the Stop Enabling Sex Traffickers Act (SESTA), passed in 2018 by the United States Senate, to make it illegal to assist, facilitate, or support sex trafficking knowingly. By restricting the possibility to advertise and vet clients online, "sex workers have fewer advance safety precautions in place, no ability to effectively pre-screen clients, and no way to ensure that they work in safe, secure locations." 

In this context, Cypher Sex, a queer-feminist collective working to empower LGTBQIA+ people, women and sex workers "in their use of online services and digital tools", drafted a manual for writing local digital self-defence guides focusing on the FOSTA/SESTA legal and social scenario. In "Localising Digital Self-Defence Guides for Sex Workers", they describe the process they adopted to create the first guides, discuss the importance of creating new localised guides that fit each legal and social system, and consider the local sex workers' specific needs and self-defence strategies.

It is also widely known that in some cases, cybersecurity policy is often used to limit the right to freedom of expression and silence and persecute political dissent. Totalitarian governments are instrumentalising cybersecurity policies to increase crackdown on dissent and shrinking civil society space. The persecution of anonymity online under the guise of combating fake news and smear campaigns has become commonplace.

The Chilean organisation Derechos Digitales teamed up with APC to map abusive uses of cybercrime standards to silence and criminalise women and LGBTQIA+ people worldwide. In "When Protection Becomes Threat: Cybercrime Regulation as a Tool for Silencing Women and LGBTQIA+ People Around the World", Derechos Digitales shows how the growth in cybercrime regulations fails to protect the freedom of expression of women and LGBTQIA+ people and often puts them at risk. That is the case for Nicaragua.

In October 2020, Nicaragua's Congress passed the Cybercrime Special Bil. It was the first specific national legal instrument aimed at preventing and prosecuting expressions of violence through online platforms. However, although the narrative to promote this bill focused on the need to protect the integrity of women and children, in practice, it has been enforced to silence dissenting voices. In "Cybercrime Policy to Censor Dissent in Nicaragua", Soledad de los Ríos, a Mesoamerican feminist activist and researcher, describes how authoritarian regimes can use cybersecurity laws to curtail freedom of expression, criminalise human rights activists and civil society organisations, and, in this specific case of Nicaragua, censor women's struggle for the right to a life free of violence.

Totalitarian governments are instrumentalising cybersecurity policies to increase crackdown on dissent and shrinking civil society space. The persecution of anonymity online under the guise of combating fake news and smear campaigns has become commonplace.

On the other hand, there are cases, such as Nigeria, where good practices exist. Nevertheless, structural inequalities mean that policies in specific domains are not enough to make women and LGTBQIA+ people safe online. Although Nigeria's National Cybersecurity Policy and Strategy, passed in 2021, recognises that accessibility and gender-based abuse and violence online constitute obstacles to social inclusion, sustainable peace and general security, the challenges women and LGTBQIA+ people face online remain critical. Chioma Agwuegbo, director of TechHerNG, shares a broad overview of gender-based violence online in Africa, tapering into Nigeria as its primary focus, and contextualises such phenomenon within the more general culture of exclusion of women and gender inequality in the region (Editors' Note: To be published soon).

It proves impossible to understand the manifestations of gender-based violence online without acknowledging that our perspectives and conditions of access, use and development of technologies are deeply rooted in the ways patriarchy, capitalism and colonialism are embedded in our daily lives. We understand that the spectrum of techno-political choices we can make in this model of technological development "do not address the needs of groups affected by structural inequalities, such as those of gender, race, ethnicity and class." 

Fortunately, feminists are not standing idly by and are taking technology into their own hands in many fields. In "Feminist Infrastructure: The Creation of What Sustains Us", Alexandra Haché, cyberfeminist activist and researcher member of Donestech and Fembloc, explores how different experiences of collectives creating feminist infrastructure allow us to explore new horizons of political action. In her article, Haché maps pioneering experiences of feminist autonomous digital infrastructure, focused on informing, communicating, documenting, connecting, exploring identities and creating subversive and radical narratives and imaginaries about the other possible and desirable worlds.

Feminists are also rethinking cybersecurity frameworks to develop forensic instruments suitable to address gender-based violence online adequately. The field of digital security for human rights defenders depends on a limited number of groups that share information about digital attacks targeted at civil society. The number gets even smaller when it comes to actors who can perform digital forensics. In "Feminist Sparks of Reflection About Digital Forensics", Carl, a member of Marialab, a feminist hacklab based in Brazil, shows us how feminist activists in Brazil are working on frameworks for teaching and applying computer forensics in cases of gender-based violence online.

We hope the perspectives gathered in this GenderIT edition will contribute to a broader conversation on cybersecurity. Introducing the situated knowledge of populations living in the margins is our contribution to helping decision-makers in cybersecurity policies to move away from the unique vision proposed by hegemonic masculinity.