UN Report: Encryption and Anonymity Tools Essential to Free Expression Online

“Encryption and anonymity provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks.”  This is the message that the UN Special Rapporteur on the freedom of opinion and expression, David Kaye, delivered to the UN Human Rights Council today, in his landmark report on the use of encryption and anonymity in digital communications.  CDT joins Human Rights Watch, Article 19, Privacy International, and many other human rights organizations in welcoming this report.

This timely report is an important recommendation to governments around the world concerning their obligations to protect and promote human rights to freedom of opinion and expression.  Thanks to Edward Snowden’s disclosures, policymakers and individuals across the globe have become more attuned to the massive potential – and reality – of government surveillance of online communications. Mass surveillance is not only a disproportionate interference with the right to privacy, it also creates a chilling effect on individuals’ willingness to seek, receive, and impart information, burdening their rights to freedom of opinion and expression.

Mass surveillance is not only a disproportionate interference with the right to privacy, it also creates a chilling effect on individuals’ willingness to seek, receive, and impart information, burdening their rights to freedom of opinion and expression.

Encryption and anonymity tools are key safeguards against these sorts of threats to individual rights.  Increasingly, we see technology companies taking seriously their commitments to protect their users’ privacy by introducing encrypted versions of their sites and services and turning encryption on by default.  As we detail in a recent paper, HTTPS is becoming a best practice for everyone who runs a web service  – even the US government is getting in on the act, as they announced last week with a directive that will ensure that all .gov websites are available in HTTPS only by the end of 2016.

Unfortunately, at the same time, we continue to hear calls from law enforcement and intelligence officials in the US and the UK for “backdoor” access to encrypted communications.  Calls for backdoor access or key escrow are distractions masquerading as policy proposals; it is abundantly clear (and has been for years) that such tactics would undermine security for all while being trivially easy for law enforcement’s adversaries to circumvent.  As the Special Rapporteur’s report notes, “It is a seemingly universal position among technologists that there is no special access that can be made available only to government authorities, even ones that, in principle, have the public interest in mind.”

The report goes on to note that, even if a government can make the legal argument that it is pursuing a legitimate national security aim by intentionally compromising encryption, this tactic is still disproportionate because compromising encryption weakens everyone’s security online.  “[R]equiring encryption back-door access, even if for legitimate purposes, threatens the privacy necessary to the unencumbered exercise of the right to freedom of expression.”

Encryption and anonymity tools support freedom of opinion and expression online

The report describes a number of ways that encryption and anonymity tools complement each other to reinforce individuals’ privacy and free expression rights online.  Encrypted services provide human rights advocates, journalists, lawyers, doctors, clergy, and many others the type of confidentiality and integrity of communications that are essential to the work they do.  Encryption can also help individuals to circumvent network-level content filters that inspect traffic and block access based on keywords in the text.  “Some States impose content-based, often discriminatory restrictions or criminalize online expression, intimidating political opposition and dissenters and applying defamation and lese-majesty laws to silence journalists, defenders and activists.  A VPN connection, or use of Tor or a proxy server, combined with encryption, may be the only way in which an individual is able to access or share information in such environments.”

The report also provides an insightful discussion of the scope of the right to freedom of opinion, calling attention to the fact that the freedom to hold opinions is an absolute right, with which no type or degree of state interference is permissible.  “The ability to hold an opinion freely was seen to be a fundamental element of human dignity and democratic self-governance, a guarantee so critical that the [International Covenant on Civil and Political Rights] would allow no interference, limitation or restriction.”

As we discussed in our contribution to the Special Rapporteur, people increasingly use online services to seek out new information, record their thoughts, store drafts of written, visual, and audio communications – in short, to formulate their opinions.  The Special Rapporteur emphasizes this point, noting that “[H]olding opinions in the digital age is not an abstract concept limited to what may be in one’s mind.  And yet, today, holding opinions in digital space is under attack.”  The report describes how, in the digital age, interference with the freedom of opinion may include “targeted surveillance, distributed denial of service attacks, and online and offline intimidation, criminalization and harassment” – interference which is impermissible for states under human rights law.

Recommendations for States

The Special Rapporteur concludes his report with a number of recommendations for how States should develop rights-respecting policies around encryption and anonymity tools. We recommend that States adopt the report’s core recommendations, as described in a joint statement delivered by Article 19 at the Human Rights Council session today:

1. States should promote and comprehensively protect strong encryption and anonymity.
2. States should avoid all measures that weaken the security that individuals may enjoy online.
3. Restrictions should be targeted on a case-specific basis and should be limited to only what is necessary and proportionate for a legitimate aim.
4. States should not impose blanket prohibitions on encryption and anonymity, as they are neither necessary nor proportionate.
5. States should refrain from making identification of users a condition for access to online services or SIM card registration for mobile users (real-name registration).