Implementing Recommendations for Supporting Human Rights in Web Standards
Human rights advocates (including CDT) have argued for years that the design of internet and web technologies – including the development of the technical standards that enable different devices and software on the internet to interoperate – profoundly impacts their ability to defend the rights and wellbeing of all people, and especially marginalized groups. A recent report from the United Nations Office of the High Commissioner for Human Rights (OHCHR) endorses that argument and lays out recommendations for how technical standard-setting can help overcome challenges to broad participation and effective respect of human rights.
The report, which represents the culmination of a year-long research process exploring how technical standard-setting processes affect human rights, was recently submitted to the Human Rights Council. Now it’s up to industry, governments and standard-setting bodies themselves to devote the resources and attention necessary to put these recommendations into place.
CDT was pleased to participate in the development of the report through our participation at the Internet Governance Forum and the Human Rights Council, where we provided comments of our own and organized comments with the Internet Architecture Board and other W3C participants. Those comments (the latter, in particular) were frequently cited in the OHCHR report.
This report also builds on longer term research in this area. The Human Rights Protocol Considerations Research Group at the Internet Research Task Force, co-chaired by CDT’s Mallory Knodel, has organized research on this topic since 2015, including a short documentary film (Net of Rights) and an RFC of research on the various areas of human rights impacted by internet protocols.
And the discussion continues. Recently, CDT invited several civil society experts on the topic for a call to discuss how human rights should be supported in standards.
The report outlines a wide array of recommendations for incorporating human rights into technical standards, directed to governments, standard-setting organizations, businesses, and civil society. These recommendations can generally be separated into three categories: Review, Transparency, and Participation.
Review:
In the standards process, wide review (or “horizontal review”) refers to getting a review from the broader community of the potential impacts and implications of a standards proposal. The report identifies the importance of due diligence to directly identify and address human rights in the standard-setting process and throughout the development and use of standards.
Transparency:
Access to information about the development of standards is necessary for accountability, public oversight, and obtaining input from a wide range of stakeholders. The report recommends that much information should be available to the general public as well as to researchers.
Participation:
Open, inclusive participation is needed for standards to reflect the perspectives of all stakeholders. The report recommends measures to address cultural and financial barriers to broader participation, particularly to increase participation from the Global South and to make a more balanced representation of gender.
Case Study: W3C process
One helpful way to get a sense of how these recommendations can be a useful tool for human rights advocates is by exploring how they might look when applied to an important organization like the World Wide Web Consortium (W3C), where most standard-setting for the Web takes place. In that real-world context, it’s clear that, while W3C has taken important steps towards putting human rights at the center of its work, there’s still more to be done.
Review:
W3C’s practices of wide and horizontal review are cited in the UN OHCHR report as a positive example, including its assessments of privacy and accessibility. But the report identifies additional steps W3C should take, including a human rights impact assessment of W3C’s practices more generally. With more resources, including increased industry participation, we could extend the timeframe of reviews: identifying the societal impacts of upcoming work items (like digital credentials, as discussed below) and monitoring the deployed use of web technologies.
Transparency:
W3C demonstrates best practices for transparency in how its standards are developed and communicated. Web standards, every draft, issue and proposal, and even the debates and conversations that go into making decisions, are all publicly archived and documented.
Participation:
While W3C has worked to increase the range of voices at the table, with different ways to participate (including Github feedback, hybrid meetings, and lower-investment Community Groups) and has a Code of Conduct to support a positive working environment, the breadth of participation still doesn’t nearly match the people who use or are affected by the web. Significant investment is necessary, in particular from states and large industry players, to help cover the costs of more civil society participation, especially for people from areas outside the US and Europe.
Case study: digital credentials
Looking forward, the UNHCR’s report could be a helpful tool in shaping an emerging set of technical standards: the underlying system for digital credentials.
Digital credentials are a clear example of the profound societal impacts of new technical standards. States increasingly want to issue digital versions of driver’s licenses, passports, and other identity cards and make them available for presentation both in-person and over-the-Internet. Identity verification is proposed as a way to mitigate fraud, to prove personhood and combat AI-generated misinformation, to improve delivery of government services, and even to provide greater privacy and accessibility in presenting credentials to governments and businesses.
These initiatives rely on cryptographic designs and standards for modeling, accessing, and presenting credentials. How these are designed, deployed, and used will determine how we interact with our own governments, what privacy we have from companies and the government (e.g., motor vehicle departments and law enforcement agencies), and to what extent companies and governments can discriminate against or exclude people from services.
As the W3C considers more direct work on defining and presenting government-issued credentials to web sites, the UN OHCHR report could play a valuable role in guiding the process.
Review:
Industry and civil society are considering the future implications and risks of this work already, but as questions surrounding digital credentials extend beyond well-known privacy topics, this process represents a prime opportunity to conduct a forward-looking review of the potential societal impacts. CDT has advocated for a joint task force or other collaborative effort to consider privacy, free expression, and consolidation concerns, and to start that work now.
Transparency:
In contrast to many legislative processes and other standard-setting processes, W3C is hosting conversations about digital credentials largely in public, with the opportunity for full review and for public input. (In contrast, mobile driver’s license protocols are developed behind closed doors at ISO, where drafts can only be shared through occasional leaks and we learn about proposals primarily through second-hand rumors. Even the final standards can only be seen by paying fees to ISO, a governmental standards organization, or some other re-seller.) Meaningful transparency requires more than just access, though; key implications of public interest need to be translated from technical specifications into more generally accessible language.
Participation:
An urgent timeline – driven by legislative mandates and alternative deployed technologies – makes broad and deep public participation a real challenge. More governments need to be directly and publicly involved in Web standardization, given the direct impact on the services they provide their citizens and their role as both issuers and verifiers of credentials. W3C rules that limit contributions from non-paying members could interfere with small business participation and should be relaxed. And while civil society colleagues are trying to keep up, it hasn’t been a priority topic for most organizations; this may require more funding to permit them to dedicate the necessary time and expertise.
Driven by government mandates to provide digital licenses to residents and to encourage businesses to request presentation of those licenses online, the reality of digital identification is coming– and soon. Governments, industry, and civil society together have an opportunity now to implement the UN OHCHR’s recommendations in considering the human rights impact of the standards that will underlie this technology, and by doing so they’ll be able to protect their citizens’ most basic rights from the ground up.