Is the world truly safer because our phones can identify us with a glance, or have we simply traded one set of vulnerabilities for another, infinitely more invasive set? The breathless coverage of AI-powered security and biometric tracking misses a crucial point. The real story here isn't the dazzling tech itself – it's the frantic, often clumsy, attempts by global institutions like the U.N. Security Council to govern technologies they barely understand, while simultaneously battling a foe that thrives on exploiting those very same technologies. For years, the narrative has been about terrorists adopting tech, but the more pressing issue is how our systems for controlling that adoption are fundamentally broken, perpetually lagging behind the curve.
The assumption that terrorist organizations are tech innovators is largely a myth. As the U.N. has observed, groups like ISIL aren’t building the algorithms; they’re adeptly repurposing readily available commercial tools – social media for propaganda, AI for recruitment, and increasingly, sophisticated financial technologies for fundraising. This isn’t about a technological arms race; it’s about asymmetrical warfare waged with off-the-shelf components. In 2005, the London bombings, triggered by online radicalization, served as a wake-up call, prompting Resolution 1624, urging states to prohibit online incitement. But the resolution’s deliberately vague language – “prohibit” versus “criminalize” – highlights the inherent tension: a desire for action hampered by a lack of consensus and fear of overreach. It was a first step, but one built on compromise, and therefore, limited enforceability.
The speed of technological development is the core problem. Governance, even at the international level, operates on a timescale measured in years, even decades. Technology evolves exponentially. This “reg-lag,” as it’s become known, isn’t simply a matter of policymakers being slow to react; it’s a systemic issue compounded by a lack of technical expertise and, frankly, the influence of corporate interests. Consider the rollout of biometric technology. By 2017, following a surge in attacks by returning foreign fighters and ISIS-inspired individuals – the Paris attacks, the San Bernardino shooting, the Berlin Christmas market attack – the Security Council, through Resolution 2396, obligated states to develop biometric systems. This happened despite the absence of a universal, binding governance regime for the technology itself. The perceived urgency – the threat of ISIL was deemed greater than the risk of potential abuse – effectively short-circuited the usual safeguards.
This isn’t a case of reckless abandon, however. The U.N.’s response has been characterized by a pragmatic, if imperfect, approach: prioritizing principles over rigid rules and relying heavily on non-binding guidance. The “Madrid Guiding Principles,” developed in 2015 and later supplemented with an Addendum, offered practical advice on addressing foreign terrorist fighters, emphasizing human rights compliance even as they advocated for increased surveillance. The more recent Delhi Declaration (2022) and the subsequent Abu Dhabi and Algiers Guiding Principles (2023, 2025) extend this approach to emerging technologies like drones and new payment methods. These aren’t legally enforceable treaties, but they represent a crucial attempt to establish a common language and understanding, a framework for responsible innovation in the face of evolving threats. The key is recognizing their inherent imperfection – they’re intended as interim solutions, a way to buy time while more comprehensive governance structures are developed.
Original reporting: justsecurity.org.
But even this flexible approach isn’t without its critics. Concerns about transparency and the mainstreaming of human rights within these guidelines are valid. The reliance on “soft law” – non-binding agreements – raises questions about accountability and enforcement. The U.N. Special Rapporteur has rightly pointed out that these guidelines are often formulated in opaque processes. Yet, dismissing these efforts as insufficient misses the point. The Security Council isn’t operating in a vacuum. It’s responding to a dynamic threat landscape, attempting to balance security concerns with fundamental rights, and acknowledging the limitations of its own authority. The alternative – paralysis in the face of technological disruption – is far more dangerous.
The real challenge isn’t simply what technologies terrorists are using, but how we respond to their exploitation of those technologies without eroding the very freedoms we’re trying to protect. The Security Council’s evolution from urging states to “prohibit” online incitement to mandating biometric data collection demonstrates a willingness to adapt, but also a fundamental tension between expediency and principle. The proliferation of alternative governance regimes – sandboxes, industry self-regulation, overseeing bodies – reflects a growing recognition that traditional multilateral frameworks are too slow and cumbersome.
Looking ahead, watch closely for the development of “tech-specific” governance regimes. The Abu Dhabi principles on drones and the Algiers principles on new payment technologies are early examples. But the crucial question isn’t whether these principles are adopted, but whether they are enforced – and whether they can keep pace with the next wave of technological disruption. Specifically, in the next 18 months, we’ll see a critical test: will the Security Council be able to formulate a coherent response to the increasing use of decentralized, encrypted communication platforms by terrorist groups, or will it once again be left playing catch-up, scrambling to govern technologies it doesn’t fully comprehend? The answer will determine whether the current approach is a viable long-term strategy, or simply a series of reactive measures destined to be perpetually outpaced by the evolving threat.
