dirigé par Emily B. Laidlaw et Florian Martin-Bariteau

Par Emily B. Laidlaw et Florian Martin-Bariteau
 

Cybersecurity is a powerful term that draws political and policy attention, as well as legal and financial risk. The assumption is that we all know what we are referring to when the term cybersecurity is used. However, there is no single accepted definition of cybersecurity. Traditionally, cybersecurity has been conceived narrowly as protecting the “confidentiality, integrity, and availability of data,” usually in the context of national security or to protect corporate assets. The result is that many of the individual and collective ways that humans are put at risk have been unexamined, or under-researched, from a cybersecurity perspective.

We contend that the cybersecurity lens is a powerful one, and opens the door to different ways of conceiving of rights and responsibilities in law and policy that are important. This book takes the view that from a practical and normative standpoint, a broad, human-centric approach to cybersecurity is crucial. It does not seek to solve the question of what cybersecurity is by adding another definition to the list. Rather, it endeavours to move beyond the definitional, and advance the field of human-centric cybersecurity through interdisciplinary examination of the various “human” factors that comprise the cybersecurity experience.

We offer a new approach to human-centric cybersecurity: the security of self, inviting a paradigm shift where cybersecurity’s core purpose is to protect people—and society—from harm, and where empowering individual and collective rights is central to our experiences of a secure cyber environment. In this reframing, humans are a feature, not a bug, of the cyber environment. The focus then shifts from centring the conversation on infrastructure or organizations, to understanding human thinking and behavioural patterns and centring policies around them. States, organizations and infrastructure are, of course, still protected but from a bottom-up approach building on securing the self. 

1. Whose Security Are We Talking About Anyway? 
The Case of the Amazon Ring 

Par Jane Bailey, Jacquelyn Burkell et Kristen Thomasen

Conceptions of “cybersecurity” often focus on the protection of digital assets, including from human-related risks. Critical technology scholars and feminist scholars studying oppression-based violence, however, emphasize that even those technologies designed to offer protection can actually cause harm, particularly to members of groups who are most at risk of negative effects due to social or political marginalization. In this chapter, we emphasize the security risks for (some) humans that arise from technology—and specifically from technology that is positioned as promoting security. We use the example of Amazon Ring, one of many integrated and Internet-connected home surveillance systems. The system centres around a doorbell camera that feeds information to an operator through a cell phone app. Operators can add other home surveillance devices, too. Although Ring is marketed as a security system, it offers little in the way of actual protection and can instead expose users and others to new forms of individual and systemic violence. Such monitoring systems provide no active protection against violence, serving at best as passive observational tools that could, for example, warn that a dangerous intruder is at the door without the capacity for actual intervention. Moreover, Ring enables various forms of violence: through the traditional cybersecurity scenario of malicious hacking; through internal corporate structures that facilitate unwanted third-party access to information recorded  by the system; through an abusable system that can be co-opted, for example, by a violent intimate partner, to surveil the person  supposedly protected by the system; and through the establishment of a surveillance infrastructure that predictably creates vulnerability to systemic and epistemic violence for those who are captured in the surveillance records. In order to protect against these and other harms potentially caused by home surveillance and security technologies, we require a risk assessment process that includes a focus on the potential negative consequences of the technology, and that centres the perspectives of marginalized groups who are disproportionately at risk of negative impacts. To this end, we offer four recommendations: first, we cannot assume that technologies are positive or even neutral in their impact on individual or collective human safety and security; second, technology design and deployment decisions must focus on individual and collective human safety, with particular attention to the potential for violence arising from the technology itself; third, we must resist the unthinking resort to techno-solutionist responses to complex human problems; and fourth, a broader holistic strategy that includes regulating technology corporations and their use of data is needed to address the possibility of system harms. 

2. Bringing Security Home 
The Need for a Human-centric Approach to Securing Smart Homes

Par Matthew Bush et Atefeh Mashatan

In this chapter, the pressing issue of cybersecurity in smart home systems is discussed, with current approaches examined and substantial gaps identified. Attention is drawn to the emerging concept of human-centric cybersecurity as a solution to the shortcomings of traditional organizational approaches to securing smart environments. A deeper understanding of the intricate relationships between individuals and the technological ecosystems found within smart homes is advocated. This perspective is reflective of the concept of security of self that prioritizes the protection of individuals within personal digital ecosystems. Through this lens, an exploration of existing technical solutions and state-of-the-art approaches to smart home cybersecurity and privacy is undertaken, providing a brief insight into the gaps between human-centric needs and the current cybersecurity landscape. The over-reliance on vendor-specific solutions is critiqued, highlighting the inconsistencies and diverse competencies among various vendors. This environment leaves non-expert consumers with complex choices to make and often results in poorly configured systems with increased vulnerabilities. The discussion also encompasses the topic of user agency over data, emphasizing the need for a transparent system in which individuals can maintain substantial control and oversight over their information without requiring intricate configuration. The need for clear directives on data accessibility and the assurance of privacy without compromising the security and functionality of smart home systems is affirmed. The conclusion calls for a collaborative approach involving tech companies, policy-makers, and users, advocating for a shared responsibility model rooted in human-centric principles. The imperative for ongoing education to empower users is underscored, as is fostering a proactive stance on cybersecurity that merges robust default security features with user-friendly functionality. Applying and expanding upon these recommendations will enable leveraging the advantages of smart technologies while still providing adequate cybersecurity that is attuned to the needs of smart home users. 

3. The Vulnerability of Emerging Technologies of the Self 
A Critical Analysis of VR Through Psychedelic Self-Hacking 

Par Jordan Loewen-Colón, Sharday Mosurinjohn, et Amarnath Amarasingam    

This chapter investigates the dual-use potential of virtual reality (VR) and psychedelic self-hacking as Foucauldian “technologies of the self.” While these technologies can foster personal empowerment and resilience, they also create opportunities for exploitation and manipulation. VR, like psychedelics, can disrupt selfhood and consciousness by altering memory, perception, and social pressures. Contexts that leave users unaware of these psychological effects erode their autonomy. The chapter highlights two axes of exploitation: “outside-in,” where external entities manipulate users, and “inside-out,” where individuals engage in spell-checking. Both axes involve ethical concerns about power, control, and the commodification of selfhood that require robust safeguards. Interdisciplinary collaboration is necessary between humanities, social sciences, and computer science to navigate the vulnerabilities introduced by these emerging technologies. Only the experiences of sentient beings and their nurturing good relationships to themselves, each other, and the world can be at the centre of this project. 

4. Developing Human-Centric Informational Security 

Par Jonathon W. Penney  

Disinformation and information manipulation are widely seen as an urgent threat to democracy, but less often as a cybersecurity threat. Historically, disinformation has rarely been included in lists of recognized threats in cybersecurity manuals and appendices of global standards organizations and only recently has disinformation been approached as a cybersecurity threat, with only a handful of works offering a more focused and systematic discussion on this point. This chapter aims to help fill this void by arguing not only that disinformation and information manipulation is a cybersecurity        threat, but that the present predominant cybersecurity paradigm is largely inadequate to address it. Instead, a human-centric approach to cybersecurity, one that centres humans as the objects of security—“security of the self”—should be adopted to address disinformation and information manipulation. However, human-centric approaches are themselves relatively new and underdeveloped, and there is little consensus in the field about what is required. This chapter argues that human-centric cybersecurity need not be monolithic, and different conceptualizations can be employed for different threats and contexts. To that end, a framework for human-centric cybersecurity is set out that addresses disinformation threats centred on user protection and safety, integrates psychological and behavioural factors—the human costs of information manipulation—and is broad enough to encompass robust structural law and policy reforms. Lastly, this chapter offers recommendations for operationalizing human-centric informational security, including that rights-based conceptualizations of human-centric cybersecurity should be avoided when operationalizing as policy to reduce gridlock and inaction due to competing rights claims. Instead, a duty of care or consumer protection frameworks are more likely to see success. 

5. The Technology-Facilitated Insecurity of Public and Private Selves 

Par Chris Tenove et Heidi Tworek

Conventionally, cybersecurity focuses on the confidentiality, integrity, and availability of data and data systems, rather than on how hostile or threatening communication affects human beings. This chapter expands that framing by showing how social media and messaging platforms can contribute to technology-facilitated insecurity by increasing their users’ risks of experiencing diverse forms of harm. This insecurity results partly from how social media and messaging platforms blur the boundaries between individuals’ “public” and “private” identities. That blurring can create intense security risks, which are compounded by intersectional identities. After reviewing existing literature on cybersecurity and online harassment, this chapter shows how social media and messaging platforms expose public figures to various harms, using in-depth interviews with thirty-five health communicators who engaged in public discussions of the COVID-19 pandemic. We explain why platforms exacerbate online and offline security risks, including through enhanced visibility, doxing, and the coordination of hostile networks. This chapter concludes by proposing that a human-centric cybersecurity approach should be used to address technology-facilitated insecurity as a systemic problem rather than an individual predicament. Two specific recommendations are made. First, institutions should adopt more proactive policies to support those targeted by online threats. Second, technologies and organizational policies should help individuals to maintain clearer and stronger separation between their public and private selves online. This chapter focuses on health communicators and other individuals in public communication roles because online harassment and technology-facilitated insecurity are particularly acute for them. However, these problems are a general feature of the contemporary digital media landscape. Any individual interacting online would benefit from greater security of the self. 

6. Achieving the Security of Self in Machine Learning  

Par Sébastien Gambs

Broadly, the security of self relates to the capacity of an individual to protect their personal information through direct actions and initiatives under their control, and thus their privacy. In this chapter, I investigate how this notion could be achieved within the context of machine learning in which one of the challenges is to protect personal profiles that have been aggregated and assimilated within a machine learning model. More precisely, the objective is to discuss in a prospective manner how recent advances in the field of security and privacy of machine learning could be leveraged to empower users. For instance, recent techniques such as membership inference attacks and dataset watermarking can be used as tools for auditing machine learning models, thus increasing the transparency, in particular in situations in which an individual’s data have been incorporated in the model without their consent. Furthermore, “data poisoning” could be used as a preventive strategy against unauthorized data usage while machine unlearning, by enabling the removal of one’s data from the model, can mitigate long-term privacy risks. Nonetheless, the security of self in machine learning is still in its infancy and many open issues remain to be solved such as the legal robustness of auditing techniques as evidence in court, the integration of these rights into artificial intelligence (AI) regulations, and the 122 THE SECURITY OF SELF necessity of significant development efforts to move from proof-of-concepts to technologies that are mature and accessible to the general public. 

7.  Addressing the Harms of Data Security Breaches 

Par Teresa Scassa

Data security breaches are rapidly increasing in number and impact. For individuals whose personal information is collected and retained across a vast number of companies and service providers, data breaches have become a source of anxiety and frustration. For the most part, data protection laws in Canada are relatively toothless, focusing on a soft touch ombuds approach to resolving complaints. In recent years, individuals have increasingly turned to class action lawsuits to seek redress and behaviour modification in cases of data breaches. Nevertheless, privacy torts and other existing causes of action are often a poor fit with data breach cases, and courts are increasingly unwilling to stretch these causes of action to fit the data protection context. Bill C-27, currently before Parliament, proposes to reform Canada’s data protection law. In doing so, it will create a new private right of action and put in place an administrative monetary penalty regime to impose sanctions on companies that disregard their obligations. This chapter considers how these reforms mesh with evolving class action jurisprudence, and whether they will, in combination, satisfy the goals of compensation and behaviour modification to better safeguard the security of the self. 

8. Algorithmic Impact Assessment 
From Risk Assessments to Community Research 

Par Fenwick McKelvey, Nick Gertler, et Alex Megelas

Security of self has to be exercised, not just considered. This chapter considers ways to create opportunities for people to exercise their human rights in technological development. Human-centric cybersecurity should improve capacity to exercise human rights. Drawing on debates about the social impact of artificial intelligence (AI), we consider innovations in public participation in AI design as a lesson for greater participation in human-centric cybersecurity. AI’s social impact has prompted calls for new measures and assessment tools. The Government of Canada has promoted the Algorithmic Impact Assessment as a key tool to assess the risk of its AI deployments. Unconventional in procurement, the tool focuses on potential social impacts beyond the traditional security and privacy assessment used. The chapter introduces Canada’s efforts, then discusses its limitations and next steps, as a way toward better assessment tools capable of understanding how to enhance and innovate in public participation in human-centric cybersecurity. 

9. Securing Public Interest Cybersecurity Researchers in Canadian Universities 

Par Adam Molnar

Rooted in democratic ideals, public interest cybersecurity research is essential for understanding the complex relationship between cybersecurity, human rights, and social justice. Universities, with their long tradition of independent inquiry, provide a crucial space for challenging the dominant influence of private industry in shaping our understanding of cybersecurity. Researchers in these institutions are uniquely positioned to generate knowledge that goes beyond profit-driven narratives and encompasses a wider range of concerns, including those of civil society organizations, activists, journalists, and marginalized communities. However, researchers employing established computer security methods in public interest cybersecurity working at Canadian universities face their own crisis of the “security of self” due to substantial legal uncertainties surrounding the lawful permissibility of their research. These uncertainties not only threaten the personal and professional security of researchers, but also hinder their ability to contribute to a broader critical understanding of cybersecurity risks, ultimately limiting our collective “security of self” in the digital age. Building upon Deibert’s (2018) call for a human-centric approach to cyber-security that prioritizes digital security alongside public interest values, this chapter argues that the legal ambiguities surrounding cybersecurity research in Canadian universities threaten researchers’ ability to conduct meaningful research in the public interest. It examines common methodological practices in this field and their interaction with legal considerations, exploring implications under criminal and copyright law, as well as civil issues like breach of contract and negligence. By scrutinizing potential interpretations of computer security methods under relevant law, the chapter highlights the need to protect researchers and foster an environment conducive to critical knowledge production in human-centred cybersecurity. Ultimately, it poses a series of recommendations for governments to strengthen legal safeguards for public interest cybersecurity research in Canadian universities.

10. The Online Mutual Help Practices of Romance Fraud Victims

Par Pascale-Marie Cantin, Fyscillia Ream, et Benoît Dupont

Online services have become integral to modern human interactions, making life and work much more efficient for individuals and businesses. However, they also bring a broad range of new harms, including a steep rise in online scams, which now represent the main category of crimes experienced by Canadians. As online scams have become a major source of digital, financial, and psychological insecurity for a significant share of the population, it is essential to include this type of harm in the “security of self” research agenda to craft more effective mitigation and prevention policies, including intervention strategies that are community-driven and rely on a human-centric approach rather than on a national cybersecurity mindset. This chapter examines one such community-driven approach: how romance fraud victims leverage online platforms to help each other. To this end, we analyzed the content of three online discussion forums focusing on romance fraud to study the mutual help practices adopted by victims in the aftermath of their experiences. The results show that a significant proportion of victims use these forums to tell their stories, find assistance and receive advice, and also to support and provide guidance to other potential victims who have doubts about their online relationships. Moreover, these platforms are used to expose cybercriminals by sharing identifying information, photographs, and modus operandi linked to romance scammers. Finally, victims also use these mutual help forums to raise awareness among general Internet users about these schemes and to provide the names of institutions and organizations to contact if they are ever confronted with a possible romance scam. This chapter highlights how the “security of self” can emerge from bottom-up practices when state institutions are unable to fulfill the needs of online scam victims. 

11. When Victims Strike Back 
Online Fraud Victims’ Response to their Victimization

Par Fyscillia Ream, Akim Laniel-Lanani, et Benoît Dupont

Research on cybercrime victimization consistently concludes that victims experience similar impacts, such as negative financial, psychological, and emotional effects, and have the same needs as victims of traditional crime. However, these needs, such as social support, financial assistance, legal aid, and technical support, are often unmet, explaining why reporting rates of online fraud are low. As a result, victims and potential victims often turn to online forums and social networks to seek justice. Over the past forty years, crime prevention and control rhetoric have lowered community expectations about the state’s ability to contain crime, leading citizens to take responsibility for protecting themselves and their property. This includes incorporating cybersecurity practices into daily routines and engaging in online vigilantism, or “digilantism.” This informal justice-seeking movement can provide a sense of safety and self-confidence. This chapter examines how victims of online fraud leverage social media networks to seek justice. The results show that victims can mobilize against online fraud through digital vigilantism. Beyond simply reporting fraud, users turn to social media to expose fraudsters, seek retribution, and inform and raise awareness of online fraud. However, this chapter also reveals several challenges, such as distinguishing fraud and unethical practices, and discriminatory bias toward fraudsters. While this study highlights the attractions for digilantism practices, it also notes that Canada has a strong need for developing prevention and intervention strategies, as well as services offering emotional, psychological, and informational aid throughout the victimization journey.

Ce projet a été rendu possible grâce au soutien financier du Conseil de recherches en sciences humaines du Canada (CRSH), par l'intermédiaire du HC2P – Partenariat pour une cybersécurité centrée sur l'humain, de la Chaire de recherche du Canada en droit de la cybersécurité et de la Chaire de recherche de l'Université d'Ottawa en technologie et société.