The Encryption and Anonymity follow-up report (A/HRC/38/35/Add.5) of the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression1 was published on 13 July 2018. It reiterates that encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.
The report clearly illustrates the developments of the past three years and highlights the challenges that users face, often resulting from the fact that many states see encryption and anonymisation services as a danger and a risk and are therefore trying to interfere with them. In this context, new domestic laws have been introduced in recent years and existing ones have been extended. The worldwide developments so far are extremely critical.
Trends in state restrictions
On the one hand, there is a trend ranging from licensing and registration to bans on the use and distribution of encryption/anonymisation services and technologies, and even the deliberate weakening of encryption. In addition, government activities have increased, representing government hacking and even including mandatory data localisation and key escrows. However, a few states view communication encryption positively and refrain from enforcing regulations that would facilitate state access.
The right to freedom of opinion and expression are codified in many facets internationally,2 as well as nationally.3 To distinguish from this, the right to privacy and secret communication, which is also internationally4 and nationally5 recognised, is an elementary right. Restrictions of these fundamental human rights must be provided by law (principle of legality), pursue a legitimate objective of public interest (such as national security, public order, health or morals), be necessary to achieve that objective, and be proportionate to the objective.
The right to freedom of expression and secret communication depend on each other. Only those who can be sure they can communicate unhindered and secretly can also act accordingly in regard to expression of their opinion. This fact was also identified in the 2017 UN Human Rights Council resolution on the right to privacy in the digital age. Manufacturers of encryption technologies were asked to take appropriate measures and implement them to ensure protection.
On the other hand, however, developments on the part of the state are subject to restrictions of these legal rights. According to the report, the use of VPN services or TOR software is banned in some states and technology providers are hindered in their access to the market. Backdoors are also being installed by default as required by respective national laws.
However, it is not only states with poor human rights track records that are mentioned in the report. In some liberal democracies,6 the weakening of these rights takes place through some of the above-mentioned methods. Those developments described by the Special Rapporteur are the most relevant nowadays for digital societies as rights are being eroded. Slowly, states are moving towards a situation where it is “essential” to have access to communication processes for reasons of national security. In general, that position is understandable, but the respective practice and laws should be oriented according to the “strong and solid” hurdles described within the ICCPR example to prevent borderless practice.
What are corporations up to?
The report identifies three main stakeholders in the field of digitalisation, encryption and anonymity: messaging application developers, ICT device manufacturers and digital access providers. Their roles are considered vital as they facilitate privacy and freedom of expression.
Some messaging applications have hundreds of millions of users across the world. One can imagine that through those channels, a huge amount of private information is transmitted and is also vulnerable to interference if not protected in a proper way. ICT device manufacturers have more or less implemented a (voluntary) industry practice to have built-in encryption tools that secure the data stored on or transmitted by them. Digital access providers, which provide communications infrastructure, bear a responsibility to refrain from undue interference with encrypted communications and the anonymity of end users.
The report also analyses the extent to which private sector stakeholders fulfil their obligations of High-Level Policy Commitments and conducting due diligence as described in the UN guiding principles. Most messaging application developers have High-Level Policy Commitments in which they state that in general they protect the privacy of their users and how they achieve that commitment.
One measure to ensure private and anonymous communication is to have encryption by default implemented, to maintain that feature, and to educate end users. It should be noted that end-to-end encryption only protects communications in transit; stored data also has to be encrypted. Other key aspects come into play too. Developers have to deal with intricate and ongoing analysis of the trade-offs between security, costs of implementation, ease of use, message delivery and service availability.
The Special Rapporteur also identified a need for Policy Safeguards beyond technical aspects and measures. There has to be a corporation strategy in place to prevent or mitigate government demands for mandatory key escrows and other decryption measures, as they will circumvent the benefits of providing end-to-end encryption. The content of such a strategy can be clear, and accessible policies on data collection, handling, sharing and retention, such as law enforcement guidelines and advertising policies, are also essential.
Regarding the broad range of device manufacturers, there is a tendency to have built-in encryption tools to prevent unauthorised individuals from accessing users’ devices. Although the technology varies by company and device, device encryption generally makes data stored on the device indecipherable without a key – typically a password/passcode – to unlock the device.
When it comes to accessing the Internet, digital access providers (Internet Service Providers) have a huge responsibility. But they also have, by default, different roles: one role, as a sentinel, is to safeguard their own network. On the other hand, ISPs act as nerve centres and switchboards with their own power, resources and capabilities. When developing their network architecture, they must make design and engineering decisions that have implications for human rights. This is why the Special Rapporteur has urged ISPs and other digital access providers to “assume an active and engaged role in developing expression and privacy enhancing measures” and to incorporate human rights safeguards into their designs wherever possible.
However, all three private stakeholders mentioned are subject to respective national laws and have to act in accordance with them while carrying out their profit-oriented business.
Recommendations
The Report concludes with recommendations to states and companies. According to paragraphs 48-52 of the Report, States should:
‘adopt laws and policies that provide comprehensive protection for and support the use of encryption tools, including encryption tools designed to protect anonymity’; any restrictions, including government hacking measures, should only be permitted in exceptional circumstances where they ‘satisfy the requirements of legality, necessity, proportionality, and legitimacy of objective’; bans on encryption or anonymity tools do not meet these criteria;
not require backdoor access in commercially available products and services;
refrain from mandating local storage of all user data, including encryption keys, or establishing key escrows;
consult civil society, corporations, the general public and relevant stakeholders on the scope of restrictions;
enact laws that require case-by-case judicial authorisation of every decryption or hacking order by the state.
The recommendations to ISPs and other companies (paragraphs 53-55) are more vague:
conducting impact assessments of digital security and privacy of individuals;
providing the highest user privacy settings by default;
providing guidance about encrypted traffic analysis, data retention, and safeguards to prevent undue interference with such traffic.
Conclusion
The report is a very valid update on important developments in the field of encryption and anonymity. It shows how states and private corporations are engaged in this topic and the challenges and opportunities in the field. It remains to be seen how these observations and recommendations will affect state practice.
Author: Torsten Corall, NATO CCDCOE Law Branch
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- David Kaye was introduced as the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression in August 2014. The Mandate of the Special Rapporteur is based on HRC resolution 7/36. His main task among others is to gather all relevant information, wherever it may occur, relating to violations of the right to freedom of opinion and expression, discrimination against, threats or use of violence, harassment, persecution or intimidation directed at persons seeking to exercise or to promote the exercise of the right to freedom of opinion and expression. His first report on encryption and anonymity was issued in 2015, drawing from research on international and national norms and jurisprudence and the inputs of states and civil society. [↩]
- Freedom of opinion and expression: Art. 19 of the International Covenant on Civil and Political Rights (“ICCPR”); Art 19 of the Universal Declaration of Human Rights (“UDHR”). [↩]
- For example, Art. 5 German Basic law. [↩]
- Art. 17 ICCPR and Art. 12 UDHR. [↩]
- For example, Art. 10 German Basic law. [↩]
- USA: US government pushed tech firms to hand over source code. UK: Case No. UKSC 2018/0004 (Supreme Court) / C1/2017/0470/A (Court of Appeal) / CO/2368/2016 (High Court). [↩]