June 2, 2015
Encryption and anonymity play a key role in the exercise of freedom of expression and opinion in the digital age — and they deserve strong protection.
That’s the key takeaway from a new report by David Kaye, the UN Special Rapporteur for Freedom of Expression and Opinion, which was published last week and will be presented to the Human Rights Council later this month. The landmark document represents “the first attempt to create a legal framework for digital security,” according to an interview Kaye did with The Intercept last week. It’s Kaye’s first report since taking over the free expression mandate from Frank LaRue, the previous UN Special Rapporteur who published a seminal report in 2013 on the human rights impact of surveillance.
Kaye’s first report for the Human Rights Council focuses on two key questions: (1) whether “the rights to privacy and freedom of opinion and expression protect secure online communication, specifically by encryption or anonymity,” and, (2) assuming that’s the case, “to what extent may Governments, in accordance with human rights law, impose restrictions on encryption and anonymity.” In preparation, he solicited comments from governments and civil society organizations at the beginning of this year, for which OTI prepared a submission on the lessons of the Crypto Wars of the 1990s, joining a variety of other organizations who articulated the human rights benefits of encryption technology.
The report begins by explaining the myriad contemporary uses of encryption technology and drawing a link between these tools and the rights to privacy and freedom of expression and opinion, which have been codified in a variety of international human rights instruments over the years. “Encryption and anonymity provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks,” Kaye writes early in the report.
Kaye goes on to highlight specific concerns with current government practices, including recent discussions in both the United States and the United Kingdom about requiring that companies provide backdoor access to any products that use strong encryption. But he reminds us that governments arguing for such access “have not demonstrated that criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives,” and warns that “intentional flaws invariably undermine the security of all users online, since a backdoor, even if intended solely for government access, can be accessed by unauthorized entities.” Simply put, “requiring encryption back-door access, even if for legitimate purposes, threatens the privacy necessary to the unencumbered exercise of the right to freedom of expression.”
Key escrow systems — like the various proposals put forth by the U.S. government and ultimately rejected during the Crypto Wars of the 1990s — are similarly problematic, Kaye argues later in the document. Mandating that companies to provide the government access to such keys before selling encryption products, like the regulations implemented in Turkey in 2011, often create unintended vulnerabilities that can chill free expression and undermine important human rights.
In his recommendations, Kaye is unambiguous in his support for access to strong encryption. Key points include that:
“States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online,” and
“States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows.”
Importantly, although it falls outside of the Special Rapporteur’s primary mandate, the report also acknowledges the responsibilities of corporations because of their role as intermediaries between governments and individual users. Emphasizing their obligation to respect human rights around the world, Kaye recommends that companies “should refrain from blocking or limiting the transmission of encrypted communications and permit anonymous communication.” The report encourages businesses to invest time and effort into expanding the use of encryption, including through more encrypted data center links, support for secure protocols like HTTPS, and the development of widely available, easy to use end-to-end encryption by default.
The Special Rapporteur’s report comes at a critical moment, as the heated debate between privacy advocates and law enforcement officials over the right to use strong encryption has reemerged in the past year. Just a few weeks ago, an unprecedented coalition of major tech companies, security experts, and civil liberties organizations in the United States sent a letter to President Obama urging him to reject any government proposals that would require companies to provide backdoor access to encrypted communications. Kaye’s report provides additional and much-needed support for their position, and we hope the U.S. government — and governments around the world — will heed its message.