Findings: A Cycle of Harm

The evidence of harm in this paper transcends actors, infrastructure, and platforms, to explain why the inflicted damage is gendered in its nature and impacts. The four factors—data, control, perception, and access—illustrate how data weaponization specifically targets and harms women and LGBTQ individuals and provides categories for different types of attacks. These factors, while each by itself can eventuate into gendered harms, often intersect and interact. The cascading dynamics, meaning that one form of gendered harm leads to another, are aggravating in their impacts, and the harm inflicted on affected people is usually more severe when two or more factors are present.¹ Due to the cascading and compounding dynamics of gendered harm, victims can become trapped in a cycle of harm, where the initial harm leads to deeper, more acute harms.

Gendered harm is both contextual and intersectional. The context is formed by policy and legal frameworks, gender norms and roles imposed by society and the state, access to services, social and family structures, and the environment. Consequently, gendered and punitive laws, abusive and patriarchal social structures, and misogynistic, sexist, and discriminatory attitudes increase the likelihood and severity of gendered harm experienced by victims. Victims’ gender and intersecting identities—such as sexuality, race, employment, and visibility—further influence the type, likelihood, and intensity of harm. Data exploitation can incur enduring and potentially perpetual harm, depending on how long the data was exposed, in which form, how it was abused, who was the perpetrator, and who was the target.

The online and offline dimensions of gendered harm reinforce each other. Data weaponization may occur exclusively online, it may also occur in connection with offline events, and it almost always has repercussions that are experienced both online and offline. Gender is not a vulnerability by itself but because it is a target of discriminatory and abusive behavior, and the higher risk of harm in the online spaces flows from inequity and exclusion in the physical world. The negative impacts are extensive and nonexhaustive. They undermine the rights of affected people, hinder progress on gender equality, and contribute to abuse, violence, and insecurity.

Data weaponization raises critical concerns for democracy and national security. Gendered harms lead to mistrust in platforms and services, unequal participation in public spaces and democratic processes, and discriminatory provision of vital care. Women will likely experience a disproportionate amount of harm as the frequency, scale, and impact of cyberattacks continue to rise in the coming years. Many of these attacks are deployed by state-sponsored, state-affiliated, and transnational cybercriminal groups for a myriad of financial, political, and ideological reasons.² In this context, it is essential to integrate gender considerations into cybersecurity strategies and policies.³

This paper identified policy, legal, implementation, accountability, evidence, support, and research gaps.

Policy and Law

Current cybercrime policy and legal frameworks fail to protect women and LGBTQ individuals, and may further exacerbate vulnerabilities through gender-blind or overly expansive provisions. Existing legal frameworks, protection measures, and redress mechanisms are frequently inadequate, lagging behind the rapid evolution of data exploitation techniques and tactics.

Implementation

Even if policy and legal frameworks are in place, obtaining justice remains difficult. Established legal precedents, practices, and attitudes of law enforcement and prosecutors can hinder the investigation and prosecution. Barriers such as discrimination against women and the LGBTQ community further complicate reporting the incidents, making it nearly impossible for some individuals to seek help. In essence, harm is inflicted rapidly, while legal remedies—if they exist—are often significantly delayed or entirely out of reach.

Accountability

Existing accountability mechanisms are ill equipped to obtain justice, especially in cases where perpetrators are state-supported cybercriminal groups, or when the state itself is the attacker. There is little accountability for the public and private entities that commercialize, mishandle, and weaponize data. This problem is aggravated by the current lack of accountability for vendors that develop and market insecure technology, leading to the lack of adequate security measures and widespread vulnerabilities exploitable by malicious actors.

Evidence

Underreporting is prevalent and coupled with insufficient capacity to evidence these attacks. Victims experience shame and embarrassment, fear reputational risk connected to publicizing the attack, lack awareness that victimization has occurred and where to report incidents, and have low confidence that law enforcement can assist them. The most vulnerable victims are often unable or unwilling to report incidents.

Support

Victims are left on their own. Notifications about how their data has been exploited and the available avenues for redress are routinely neglected. Many victims do not have the means to pursue recourse, or the knowledge where to seek assistance. Support programs offering legal assistance and counseling are often insufficient, poorly integrated, and inaccessible or nonexistent in certain countries.

Research

The intersection of gender and data weaponization is understudied, primarily due to the lack of disaggregated data, qualitative analysis, and firsthand testimonies. This gap limits the ability to conduct thorough and comparative analysis of how gender and intersecting identities shape the experiences of different groups facing data weaponization.