The way we engage on online has changed dramatically since the 1990s. We now use the internet, and the different services provided through its infrastructure, for a variety of purposes - including to access information, to communicate, to work, to make purchases, to mobilise, to connect with our loved ones, and to access public services, amongst many others.
The online ecosystem is sustained by companies whose business models rely on the collection and processing of vast amounts of data that allows them to better profile and target individuals and groups on the basis of various criteria, from their shopping preferences to information about their health and economic status. This is heightened by the fact that a few companies dominate the ecosystem, either as providers of the infrastructure and/or the services, which means users have no or limited alternatives to access the same services.
The business choices made by these companies are resulting in individuals and communities being exposed to unwarranted threats. These choices range from the design of their platforms to their use, their purposes, and their business partners.
The use of the data collected and processed, and the information and intelligence inferred from 'normal use cases' of such services means that the mere engagement exposes users to risks because of the heightened attack surface created by the failure of the providers to consider the specificities of the context of engagement of users. Such information and intelligence are used by a variety of third parties including other individuals, i.e. social surveillance; companies, i.e. data brokers, and government bodies. Government security and intelligence agencies feed such data, information and intelligence into their surveillance programmes. In the name of national security and public interest they justify their ability to access and use such data, and also to undermine efforts of companies to protect their users and services, which would make it harder for them to access such data, i.e. encryption or backdoors.
Whilst all users engage with the platform on the same terms and conditions, the likelihood and severity of the risk is heightened for people and communities who are the target of state surveillance, those users whose data generates the most profit for corporations, and those who are the target of social media surveillance.
Services should empower individuals and communities and provide them the tools to enjoy and fulfil their fundamental rights and freedoms. Companies should take active measures to reduce the attack surface to which all their users are exposed and, in particular, respond to the needs and context of at-risk communities - such as women, gender diverse people, those subject to racism or hate crime. They should prevent profiling, and implement technological, legal, and regulatory safeguards to prevent other threat actors, including other individuals and governments from exploiting those vulnerabilities.