For LGBTQ Youth, Truly Equitable Internet Access Requires End-to-End Encryption

Blog Post
Jan. 28, 2022

Reliable high-speed internet access can be a game-changer for LGBTQ youth, providing them both health care resources and online friend groups. That being said, in using the internet, LGBTQ youth also face greater risks than their non-LGBTQ peers.

“For many LGBT people still choosing with whom they share their sexual orientation, privacy is of paramount concern,” LGBT Technology Partnership’s Carlos Gutierrez observed in a 2018 blog post. “A privacy data breach that exposes someone’s sexual orientation can have far-reaching effects, including the loss of employment, loss of familial relationships and friendships and even the potential for physical harm or death.”

Indeed, various studies have shown that a majority of surveyed LGBTQ youth reported personal experience with LGBTQ-related discriminatory policies or practices at school, nearly half of surveyed LGBTQ youth out to their parents reported that their families made them feel bad for being LGBTQ, three in ten surveyed LGBTQ youth reported being physically threatened due to being LGBTQ, and several LGBTQ youth—including 15-year-old Lawrence King—have been murdered due to their LGBTQ identity.

For reasons like these, many LGBTQ youth “continue to manage to whom and in what contexts they are out regarding their sexual orientation or gender identity,” according to the Human Rights Campaign. As such, LGBTQ youth need data privacy protections to prevent their sexual orientation or gender identity from becoming known to the wrong people.

At the forefront of these data privacy protections is encryption. In a 2015 article for Slate, then-OTI senior policy analyst Danielle Kehl defined encryption as “the process of combining the contents of a message (‘plaintext’) with a secret password (the encryption ‘key’) in such a way that scrambles the content into a totally new form (‘ciphertext’) that is unintelligible to unauthorized users.”

“Only someone with the correct key can decrypt the information and convert it back into plaintext,” Kehl explained. “Encrypting data doesn’t stop someone who is not the intended recipient of a message from intercepting it—but it helps ensure that he won’t be able to decipher it if he does.”

As OTI’s Pronoma Debnath outlined in a recent blog, the “gold standard” of data privacy protections are provided through communication services that implement end-to-end encryption by default across one-on-one messages, group messages, audio calls, and video calls.

“With end-to-end encryption, the message remains encrypted even as it travels from sender to server to receiver, thereby protecting the confidentiality of the message, and making the contents of the message less vulnerable to interception,” Debnath explained.

In her research, Debnath found that most services fail to implement end-to-end encryption in at least some circumstances, such as when one engages in certain types of communications (such as group messaging), sends messages via a certain protocol (such as SMS or MMS), or communicates with certain kinds of devices (such as Android devices). Some services even require you to manually turn on encryption for every conversation—and, should you forget to turn it on before sending a sensitive message, there are no take-backs.

As vital as encryption is to data privacy protection, it has come under increasing fire in Congress, with Senator Lindsay Graham (R-SC) introducing both the EARN IT Act and the Lawful Access to Encrypted Data Act in 2020. The bills would undermine industry progress towards stronger encryption by forcing service providers and device manufacturers to develop “backdoors” for “exceptional access,” which could be used to decrypt user information upon government request.

However, as Center for Democracy & Technology Senior Technologist Hannah Quay-de la Vallee remarked in OTI’s “Privacy’s Best Friend” panel in February 2020, your data is only truly safe when your service providers and device manufacturers have ensured that even they themselves cannot decrypt your data.

“The whole concept of end-to-end encryption is essentially that I don't have to trust that WhatsApp isn't going to look at my messages,” Quay-de la Vallee said. “I don't have to trust that they're going to do the right thing and not go snooping. I just know that they can't.”

Meanwhile, if exceptional access is to become the new norm, young LGBTQ people will not even be able to message their doctor about their sexual orientation or gender identity without fearing that a communications service’s intentionally programmed vulnerabilities will expose their sensitive information to bad actors, who could make any number of devious moves with it, including holding it as blackmail, selling it to third parties, and publishing it online.

While the EARN IT Act and the Lawful Access to Encrypted Data Act may have fizzled out for now, Apple’s recent fumble in the encryption debate indicates that our fight for data privacy protection is not over yet. We must emphasize the importance of privacy in our communications by avoiding services that do not use end-to-end encryption by default across all messaging types, so that service providers offering less security will have no choice but to either step up their security game or risk falling into obscurity.

We must also urge elected representatives to support strong encryption and push back against attempts, legislative or otherwise, to force service providers and device manufacturers to develop backdoors for exceptional access. To ensure that LGBTQ youth are truly able to take advantage of all the benefits reliable high-speed internet access has to offer them, we must be able to promise them that no one can decrypt their data.

By pushing for greater utilization of end-to-end encryption and fighting against backdoors for exceptional access, we can protect data privacy for everyone—including LGBTQ youth.

This blog post is part of a series examining the unique impacts of tech policy on LGBTQ youth. Read more:

Related Topics
Data Privacy Encryption Cybersecurity