October – December 2023

What are the global trends in Internet freedom, what is the status of the Digital Services Act (DSA) enforcement, and what are the reactions of CSOs to UNESCO’s final version of the Guidelines for the Governance of Digital Platform? You can read about these and many other Internet trends from GIF’s Quarterly Report, covering the period from October through December 2023.

Expanding beyond a global perspective, the report contains overviews of digital security and digital rights trends from eight regions. It addresses incidents ranging from press suppression and restrictions on freedom of expression in West & Central Africa (WCA) to cyberattacks, digital rights concerns, and the impact of offline developments across East & Southern Africa (ESA). The report covers updates on digital threats and targeted attacks in Latin America & the Caribbean (LAC), highlighting issues such as vulnerabilities, phishing, technology misuse for surveillance, and gender-based violence.

In Europe & Eurasia, the focus shifts to recent updates on digital attacks, digital rights, and freedom of expression. The report also explores cybersecurity incidents in the Balkans, including phishing, hacking, and cyberattacks targeting critical sectors such as finance, energy, and media.

The report also covers the South & Southeast Asia (SEA) and Central Asia (CA), where it discusses state-sponsored cyberattacks, new national regulations affecting social media and telecommunications, and their implications for freedom of expression and privacy. Additionally, the report details cybersecurity incidents, regulatory changes, and initiatives within these regions.

Concluding with the Middle East and North Africa (MENA), the report presents findings on hacking attacks, cybersecurity incidents, the extortion of journalists and activists, legal actions against individuals for social media content, and Internet shutdowns.

Global Trends

The World Radiocommunication Conference (WRC) held by the International Telecommunication Union (ITU) concluded in mid-December 2023, after nearly a month of intense negotiations. While the WRC can be seen as a purely technical standards development forum, the decisions made on spectrum bands and orbit dominance define who can control technology markets and sectors, often at the expense of human rights considerations. One of the key decisions made at the WRC was on spectrum allocation that covers critical needs such as consumer use, national security, intelligence, and defense capabilities. For example, 6GHz frequency can provide good coverage in rural and remote areas and can be used as 5G mobile network technology in urban areas. At the WRC, this band was subject to contentious last-minute agreements. While there has been a historic consensus that 6GHz should be unlicensed for usage by different technologies and industries, some countries, including Brazil, shifted their positions during the conference and opened the possibility that the frequency can be used by the International Mobile Telecommunication (IMT) industry. Discussions about the allocation of 6GHz will continue during the next WRC in 2027, and it seems likely that the mobile industry will be granted part of the 6GHz band for its use, increasing market concentration and reducing the diversity of technology options for users to choose from when connecting to the Internet. ARTICLE 19 (A19) has been actively engaged in ITU Radiocommunication Sector (ITU-R) discussions and will continue to participate in ITU-R meetings in the coming period to push back against market dominance that can lead to users being prevented from alternative options and network providers and limit their access to online information.

December was also marked by the European Commission moving forward with a draft foreign agent law despite widespread criticism. Although the directive does not directly restrict Internet freedoms (IF), it could negatively impact organizations in the European Union (EU), including digital rights organizations. The draft law could be seen as the EU’s de facto endorsement of similar laws in effect in repressive regimes around the world.

The enforcement of the Digital Services Act (DSA) for very large online platforms (VLOPs) and very large online search engines (VLOSEs) – those with over 45 million EU users – has already begun, and the European Commission announced its first formal enforcement proceedings against X (formally Twitter). By February 17, 2024, Member States will assign Digital Service Coordinators to supervise compliance, marking the beginning of enforcement for all platforms, search engines, and intermediaries covered by the DSA. Additionally, the Commission launched a public consultation to collect input on a draft regulation on the templates that intermediary services and platforms will have to use for their transparency reporting under the DSA, which the Global Network Initiative (GNI) plans to participate in. 

United Nations Educational, Scientific and Cultural Organization(UNESCO) released the final version of the Guidelines for the Governance of Digital Platforms. GNI has commented on the different drafts throughout the process. The final version continues to use “digital platforms” broadly without defining them. As GNI noted in its second submission, the Guidelines fail to address the “relevant differences that distinct services have regarding visibility, influence over, and directionality of content”. As noted in GNI’s last submission, the final draft continues to explicitly “focus on companies,” without recognizing that some digital platforms are provided by not-for-profit entities, while others may be partially or fully state-owned or controlled. GNI will continue to monitor UNESCO’s work in this area going forward.

The EU also passed the Artificial Intelligence Act (AI Act) in early December. The AI Act takes a “risk-based” approach to the governance of AI systems. This is one of the highest-profile AI regulations, so its effect will be closely watched. Before coming into effect, the Act needs to undergo final procedural steps for approval. Additionally, the United Nations (UN) Human Rights Office of the High Commissioner B-Tech project released a Foundational Paper on Advancing Responsible Development and Deployment of Generative AI with respective supplements outlining the taxonomy of human rights risks connected to generative AI and an overview of company practices. These documents pave a human-rights-centric approach to the development of regulation around generative AI.

AI dominated digital rights discussions in 2023, but often these processes have not included meaningful participation from civil society. For example, in October, the Group of Seven (G7) issued Guiding Principles for Organizations Developing Advanced AI Systems as part of the Hiroshima Process on Generative AI, but the period for input from external stakeholders was only a few days. At the same time, UNESCO is implementing its Recommendation on Ethical AI by conducting assessments in 50 pilot countries. However, according to some civil society organizations (CSOs), these assessments have not engaged local or regional digital rights organizations until the end of the process when the assessment reports were almost complete. Moreover, UNESCO has not been transparent about the process itself, raising concerns that it is establishing the foundations for AI governance behind closed doors with only government stakeholders. 

Meta started implementing default end-to-end encryption for one-to-one messages and voice calls on Messenger and Facebook. This update, aimed at enhancing user privacy, will protect the contents of messages from potential surveillance. However, concerns remain regarding the handling of backups and metadata. The encryption is based on a modified version of the Signal protocol, with options for encrypted backups. Despite these improvements, Meta still has access to significant unencrypted metadata. The rollout is a major step towards stronger user privacy on Meta platforms.

West and Central Africa (WCA)
East and Southern Africa (ESA)
Latin America and The Caribbean (LAC)
Europe and Eurasia (EE)
The Balkans
South and Southeast Asia (SSEA)
Central Asia (CA)

During the last quarter, dozens of hacking attacks on Telegram accounts were reported in Tajikistan. To register a new account a user should receive a One Time Password (OTP) sent by SMS for authentication of a new device. Those users who were hacked did not receive the OTP confirming registration but instead saw a new device connected to the account and lost the ability to manage their accounts. The interception of SMS with OTP occurred by bypassing the mobile providers’ servers. There was no official explanation or investigation of these incidents, either from the state or from the mobile operators. Telegram’s technical support has ignored the complaints. CIPI and Access Now facilitated the public awareness-raising campaign by local media platforms providing step-by-step guidance on how to improve the security protection of personal accounts on Telegram and other popular messengers.

The attacks on civil society and media activists, both offline and online, have intensified in Kyrgyzstan. In one such case, Civil Initiatives on Internet Policy (CIIP) requested Access Now’s digital security helpline team to assist in addressing offensive bullying on social networks, which was discrediting the work of the organization and its staff. Namely, an unknown group of people using fake accounts widely disseminated the same text in local groups, mostly on Facebook. The Access Now specialists were unable to help in this situation as it was impossible to removed flagged posts from groups tens of thousands of members. Moreover, another group of media activists connected with Temirov Live media, famous for anti-corruption investigations, fell victim to a social media discreditation campaign. Right after the reporting period, searches took place in the offices of a few media agencies, resulting in the seizure of equipment and the detention of journalists. The Committee to Protect Journalists (CPJ)  made a statement calling Kyrgyz authorities to stop criminal prosecution of media outlets and journalists’ arrests. The Spokesperson of the UN Human Rights Office in Geneva has also made a statement about the deteriorating situation on freedom of expression and called on authorities to ensure that media legislation in the country is in line with international human rights standards. The Access Now helpline, at the request of lawyers and trusted representatives, has been blocking access to email and social media accounts of detained journalists who want to be protected from investigation authorities gaining access to confidential information from their seized devices.

On the regulatory side, the parliament in Kyrgyzstanadopted the law on access to information aimed at protecting everyone’s right to freedom of information, including access to public information. Additionally, the draft law on cybersecurity became accessible for public review. In turn, the draft law on foreign agents that includes amendments to the Law on Non-Commercial Organizations and Criminal Code was approved by the Parliament in the first hearing at the end of October. In case the draft law is adopted, non-profit organizations receiving funding from abroad and conducting political activities will be recognized as ‘foreign representatives’ and required to provide additional reports and undergo extra inspections. Any violations will be punishable by either high fines or imprisonment from five to ten years. In September 2023, 120 NGOs called on parliamentarians to reject this draft law, which was followed by a similar call from the three UN special rapporteurs and the official representative of the UN Human Rights Office towards the Kyrgyz authorities in October 2023. The CPJ also argued that the legislation could “force many nonprofits to close” in Kyrgyzstan, as it has in Russia.

In Tajikistan, a new Unified Information Center for the Prevention of Extremism, Terrorism, and Cybercrimes has been created under the Prosecutor General’s Office to improve the coordination and effectiveness of combatting crimes on the Internet. The Parliament recently approved a bilateral Agreement on Cooperation with Russia aimed at joint efforts to combat the misuse of information and communication technologies to ensure international information security. In particular, the agreement covers terrorist and extremist propaganda, hacking of information infrastructure, violation of public order, and incitement to hostility.

In Kazakhstan, MediaNet International Centre for Journalism Public Foundation coordinated a joint response by civil society to the oppressive policy of publishing a list with personal information of organizations and individuals receiving foreign funding. GNI led the preparation of a blog post in cooperation with key CSOs. Civil society has called upon Kazakhstani policymakers to abolish the public foreign funding register as it violates the right to privacy and non-discrimination, which is encouraging the misuse of personal data for intimidation and suppression. The blog post is available in English, Kazakh and Russian. On October 18, 2023, Kazakhstan hosted the first national IGF.

The Middle East and North Africa (MENA)