During a speech at the annual UNESCO Internet Governance Forum in Paris Monday, French President Emmanuel Macron announced the “Paris Call for Trust and Security in Cyberspace,” a new initiative designed to establish international norms for the internet, including good digital hygiene and the coordinated disclosure of technical vulnerabilities.
The document outlines nine goals, like helping to ensure foreign actors don’t interfere with elections and working to prevent private companies from “hacking back,” or retaliating for a cybercrime. It’s endorsed by more than 50 nations, 90 nonprofits and universities, and 130 private corporations and groups. The United States is not one of them.
The Paris Call ultimately lacks teeth; it doesn’t require governments or corporations legally adhere to any specific principles. It’s mostly a symbol of the need for diplomacy and cooperation in cyberspace, where it’s hard to enforce any single country’s laws. More notable than the accord itself is who signed it. Major American technology corporations including Microsoft, Facebook, Google, IBM, and HP all endorsed the agreement.
The United States, meanwhile, was not alone in taking a pass. Russia, China, Iran, Israel, and the United Kingdom didn’t sign either, a sign of how tech corporations are playing a more active role in governing the internet. Some of the abstainers, like China and Iran, have active cyberwar initiatives, but it’s not clear why countries like the UK also sat out.
Microsoft, on the other hand, says it worked closely with the French government to craft the Paris Call.
“It’s an opportunity for people to come together around a few of the key principles: around protecting innocent civilians, around protecting elections, around protecting the availability of the internet itself. It’s an opportunity to advance that through a multi-stakeholder process,” says Brad Smith, the president of Microsoft, who also gave a speech in Paris Monday. In some ways, Smith sounds more like a lawmaker than an executive—which shouldn’t come as much of a surprise.
On the internet, corporations like Microsoft are increasingly taking on responsibilities once reserved for nation states. “If you look over the past three or four years, we’ve really seen a groundswell of private leadership,” says Megan Stifel, the cybersecurity policy director at Public Knowledge, a non-profit that endorsed the Paris Call. “The private sector is now willing to say that we can and we will do more.”
In April, Microsoft announced the Cybersecurity Tech Accord, an agreement similar to the Paris Call that was signed by more than 60 technology corporations, which it dubbed a “a Digital Geneva Convention.” In July, the company publicly advocated for the regulation of facial recognition technology and said it was developing its own set of principles for how it should be used.
Then in August, Microsoft took action against the hacking group known as Fancy Bear. In an announcement that could have just as plausibly come from the FBI, the company went so far as to attribute the series of malicious domains it seized as having originated from Russia.
It’s not just Microsoft: In August, Facebook and Twitter worked with US government authorities to take down accounts and pages they believed were part of a coordinated propaganda campaign originating in Iran. Last week, Facebook set up a war room to track misinformation during the US midterm elections, in an effort to ensure the voting process wasn’t being disrupted.
Combating cyberattacks and monitoring elections were once tasks reserved for government officials. But now much of the globe’s civic activity occurs not just in cyberspace, but on private platforms owned by companies like Facebook and Microsoft. That means it’s in their business interest to support measures like the Paris Call, which aim to make the internet a more secure and predictable place.
Not every group that supports the Paris Call agrees with all of its tenets. Access Now, an international non-profit that advocates for a free and open internet, criticized two parts of the agreement in a blog post published Monday.
The agreement calls for stakeholders to cooperate to address the threat of “cyber criminality,” but Access Now worries that could be interpreted to mean companies and governments should share data without a court order, for instance. The Paris Call also advocates for the prevention of intellectual property theft, but the nonprofit thinks that could end up putting freedom of expression at risk if states are overly aggressive.
“The document is imperfect but it arrives as other governments, that did not endorse the Paris Call, have shown a competing vision for cybersecurity grounded instead in state sovereignty and control,” says Drew Mitnick, policy counsel at Access Now. Mitnick says his organization is looking forward to the next iteration of the Paris Call, which is set to reconvene next year in Germany.
In the meantime, the agreement’s organizers will likely continue to try to get nations like the US on board, while the country’s largest tech companies keep leading the way.