Recommendations

By recognizing and understanding the links between gendered harms in data weaponization, states, private actors, and civil society can more effectively prevent, counter, and mitigate these harms. This report offers a set of recommendations to achieve this.

States should mainstream gender into policies, legal frameworks, and practices, including a commitment to gender equality. Respective agencies should initiate a process that critically analyzes cyber-related policies from an intersectional perspective and include a cyber dimension into frameworks relevant to gender.¹

Current policy analyses are gender-blind and need to include more robust gender analysis. State agencies should collect sex- and gender-disaggregated data that meet the standards for evidence-based policy design. Gender analysis necessitates collecting data on gender and cybercrime more broadly and disaggregating analysis by gender, age, ethnicity, class, socio-economic background, and other relevant intersecting identities to identify trends relating to the types of crimes, victims, perpetrators, and resulting harm.²

States should develop methodologies that help document gendered harm, quantify and qualify harms and impacts, and identify macro-level trends. Such methodologies should consider the range and frequency of vulnerabilities that are present within the population—or if the breach only affects a particular sub-group, the range and frequency of vulnerabilities that are present within that sub-group.

Anti-cybercrime policy and legislation can exacerbate or introduce new gendered harms. States should draw on resources that help policy makers and implementers incorporate feminist methodologies, principles, and gender analyses, promote gender equality, and prevent cyber policies from unintentionally reinforcing gender disparities.³

Participatory and inclusive approaches help states to fill potential gaps within the gender analysis, and to understand local and contextual gender dimensions. This includes engaging with gender and human rights groups, research institutions, and grassroots organizations with established networks and proximity to victims to encourage proportional representation of women and gendered perspectives throughout the policymaking and implementation process. Stakeholders should be formally involved to advise and provide evidence and insight.

The criminal justice system needs substantial capacity to evidence and investigate the gendered impacts of data weaponization. Specialized training for law enforcement, prosecutors, and judges is critical to supporting the effective handling of cybercrime cases, ensuring that they have the technical capacity and expertise to secure and verify evidence, conduct thorough investigations, and prosecute offenders in a manner that upholds justice and protects victims of cybercrimes. States should increase the capacity of the institutions and agencies responsible for countering and responding to cybercrime and further embed gender considerations in their mandates, processes, and practices.

Victim assistance services should be systematically funded, and states should increase the capacity to provide gender-sensitive and responsive assistance that prioritizes a victim-centered approach to redress and reparations. States should create specialized cyber victim support units within law enforcement agencies that focus on supporting victims of cybercrime, with a particular emphasis on crimes that have a gendered component. Support for victims of gendered cyberattacks and other forms of technology-facilitated violence is currently fragmented, relying on a patchwork of civil society organizations and social justice groups. These organizations remain underfunded to provide comprehensive assistance, which is essential for addressing the complex needs of victims. This includes access to legal counsel, psychological support, and effective remedies that prevent revictimization.

States should create online reporting mechanisms and helplines that are accessible, safe, and specialized and allow the authorities to initiate investigation and recourse for victims. Such mechanisms should serve as a gateway to obtaining protection, accessing counseling, and finding support for removing harmful materials. States and private entities should prioritize initiatives and tools that address taking down sensitive data and harmful content. These are particularly relevant for medical and personal information and image-based abuse such as nonconsensual intimate images. Coalitions built across stakeholder groups, leveraging the strengths of states, the private sector, and civil society, should formalize knowledge and information sharing about cyber victimization.

As long as organizations keep collecting troves of sensitive data, malicious actors are motivated to weaponize it against the targets. It is imperative that organizations limit the amount of sensitive data they collect. Data collection and retention practices must be in line with the principles of necessity, proportionality, and data minimization. Unless states have included these obligations directly into their national laws, the private sector has few binding obligations to follow human-rights-centered and gender-sensitive considerations.

All entities collecting personal data should adopt a privacy-by-design approach. Service providers should implement best practices on how to collect, use, and store data; only collect data that is essential to ensure the provision of the required service; and use it for purposes for which they obtained user consent. The sensitivity of data being processed must also be considered and restrictions increased based on potential risk. Risk analysis should incorporate social aspects and considerations based on gender and other intersectional identities.⁴

Norms and standards for data privacy should be considered in terms of the individuals and communities they affect. Public and private entities collecting, processing, storing, or otherwise handling or using personal data should prioritize working with users from targeted and marginalized communities, and consider their processes and practices through the lens of gender and intersectional identities. Designing from the margins can maximize safety, privacy, and security for all users, particularly those who are the most exposed.⁵

Although technology design plays a key part in generating and enabling gendered harms in data weaponization, it also has a role in mitigating them. Technology should be designed, developed, and deployed with an impact assessment that considers context and identity.⁶ Platforms and applications should include privacy-enhancing tools such as early warning systems through which incidents can be reported and identified.

Products should be built safely and securely, especially if integrated into critical infrastructure and services where data breaches have both national security and individual harm implications. As data breaches exploiting vendors of technology are increasing, data protection must be addressed already on the infrastructure and software layer on which the systems operate. Vulnerability analysis often leads to victim-blaming or attributing cyber incidents excessively to the “human error.”⁷ However, these are symptoms of systemic problems, rather than individual failures. The Security by Design approach to software security pioneered by the U.S. Cybersecurity and Infrastructure Security Agency provides key considerations for securing vulnerable software before it reaches people.⁸

Critical infrastructure should be designated in a way that includes services and facilities essential for people of all genders, gender identities and expressions, and sexual orientations. States should facilitate inclusive processes that allow for a critical assessment of remaining gray areas, such as the security and availability of essential facilities, assistance, and information related to gender-specific needs. Inclusive and participatory processes help to increase knowledge and coordination across different agencies and organizations and avoid contradictions in policy and practice.