By Otgonpurev M
According to an article by ikon.mn policymakers in the Mongolian parliament perceive fake news that appear on social networks as a cyber attack. Officials have responded to the demand to combat cyber harassment and the spread of fake news with a proposal for a Cybersecurity Law. The response included measures like the establishment of a National Cyber Incident Response Center (probably CERT) and mandatory registration for social media accounts using national identity number and mandatory ownership assignment for mobile subscribers.
“The work of democracy cannot be left to global tech companies alone. That responsibility rests on the public’s shoulders and those of democratic institutions. If they fail to modernize our election regulations, the democratic recession will only continue.” https://t.co/tpPQg0hMIX
— Arjun Bisen (@ArjunBisen1) 24. April 2019
I personally agree that the spread of fake news is becoming a threat to our national security by manipulating the uninformed public and influencing the politics and policies. As an ex-vice minister of Justice mentioned in an interview, the primary information source for a majority of the people already became online news sources according to the research done during the beginning of 2019. The so-called trolls or fake social media accounts spreading hoax or controversial news against politicians or disseminating hate content against specific ethnic groups (such as Chinese) are the primary examples of fake news in Mongolia. But I don’t believe that the proposed Cybersecurity Law would be an effective tool to fight this battle. My reasons are:
- Basically there is no effective and 100% foolproof solution to control the attribute and ownership of identity on online space. Even if there was one, it is just a matter of time to find a work-around in this age of rapid technological development. And if you can’t impose a control that covers everyone, then that control could be selectively applied and potentially misused for malicious purposes and might become a tool to silence whistleblowers and political opponents.
- It is true that Mongolia is in need of cybersecurity legislation. Apart from a sentence that has been included in the National Security Directive of 2010, there is no regulation whatsoever in terms of cybersecurity. The authority and mandate who would respond and prevent to national-level cyber threats is still not yet clear and no specific policies for inter-agency cooperation or handling of critical infrastructure exist.
The proposal for a cybersecurity law has been circulating for a while but has never reached the stage of an actual bill. I’ve participated in public discussion of the proposal in September 2018. From that discussion it was clear that online censorship was primary objective of the bill. For example, the proposal version of September 2018 states that the National CERT who is supposed to be the responder to national-level cyber threats has the duty to limit and remove what authorities determine to be fake news. Conceptually, the tasks of security engineer or security institution would include preserving the confidentiality, integrity and availability of information no matter the contents of the information.
- The proposal mentioned mandatory registration using National Identification Number (NIN) to use social media in Mongolia effectively undermining the anonymity of the users. Even though there has not been a case of a successful anonymous whistleblower in Mongolia, I personally believe that preserving online anonymity is a fundamental human right and UN, U.S. Supreme Court and organizations like the Electronic Frontier Foundation (EFF) agree. Having a traceable attribute to an online identity could potentially become a tool to harass socially vulnerable groups and limit the freedom of expression.
- The technical details and solutions of these controls are not clear as of now. The national identification number (NIN) is confidential only in theory and there are publicly available records of personal information that includes names, NIN, date of birth etc. Additionally the NIN itself is not fully random and could be derived as a function of a person’s birthdate, birthplace and gender etc. Thus having a mandatory registration using NIN does not guarantee the non-repudiation requirement of the security. In other words if your personal information is compromised, how would you prove your authenticity that you are not the person who spread the fake news? There are similar problems with the solutions of using authentic mobile subscription numbers to register for social network.
Therefore I believe that even though we are in dire need of cybersecurity legislation it should not be aimed at censoring online contents and undermining the anonymity of the users. An attempt to regulate online identity would potentially harm our democracy. Rather, I believe the soft controls such as educating and campaigning for online literacy would be more effective tools to prevent from spread of fake news and online harassment.