United Nations Human Rights Chief Warns of the Dangers of Breaking Encryption & Mass Surveillance

Today, the Office of the High Commissioner for Human Rights will present the report ‘The right to privacy in the digital age’ to the UN Human Rights Council in Geneva. The report takes aim at the use of intrusive hacking tools, and the widespread monitoring of public places. Furthermore, the report unequivocally defends the importance of end-to-end encryption in the protection of democracy and human rights worldwide.

Deep Concerns Over the EU’s Child Sexual Abuse Online Proposal

The report specifically references the European Commission’s recent proposal on rules to prevent and combat child sexual abuse (CSA Regulation). The report highlights how, by imposing broad monitoring obligations for all communications, the proposal would force service providers to either abandon transport encryption, or seek access to messages before they are encrypted. Either one of these alternatives would break end-to-end encryption and therefore would pose a serious threat to all users’ rights, including child users. Indeed the report recalls the work of the UN Committee on the Rights of the Child, which has also called for strict human rights safeguards in relation to interference with encrypted communications.

The report concludes, as CDT also highlighted in its analysis of the CSA Regulation, that general scanning of communications inevitably leads to the implication of innocent individuals and violates people’s rights to privacy in the contents of their communications. The report also cautions more generally that government interference with encrypted communications, and indiscriminate surveilling of the public would de facto not meet the standards of proportionality, necessity and effectiveness as required under international human rights law. As a result, such actions would undermine the very essence of the right to privacy. Concerningly, this strongly echoes the reasoning of the European Data Protection Supervisor and Board in their Opinion on the CSA proposal, where they concluded that the proposal as drafted does breach the very essence of the right to privacy.

The report also called out other governmental attacks on encryption in the UK’s Online Safety Bill, in the EARN IT Act in the U.S., and in the Intermediary Rules adopted by India. It also recognized two important concepts that animate the debate around encryption: first, that client side scanning mandates are fundamentally incompatible with end-to-end encryption, and second, that traceability mandates can weaken encryption standards. 

Calls for Action Regarding The Proliferation of Spyware

The report also tackles the theme of spyware, in particular in light of the Pegasus revelations. It is important that the High Commissioner has again insisted upon the need for judicial safeguards and oversight with regard to any instance of State surveillance. Furthermore, the report specifies that any such initiatives must be reserved for cases to investigate a specific serious crime or act, and that it must be targeted exclusively to people who are actual suspects related to the commission of such an act.

This is an important and powerful message from the UN Human Rights Chief at a time where governments and private companies are increasingly working to water down and circumvent safeguards. The report reiterates OHCHR’s call for a moratorium on the sale, transfer and use of hacking tools until a human rights-based safeguards regime is in place. The European Union’s Regulation on Dual Use is mentioned as an export control regulation that includes human rights considerations. 

At the same time, CDT would caution that during the recent European Parliament hearings linked to its Pegasus investigation, it became apparent that, despite the existence of this export control regime, Pegasus technologies have been exported from a number of EU member states. At the time of its agreement, civil society actors cautioned that the EU Regulation included a very narrow definition of cybersurveillance items, and too much ambiguity surrounding what would need to be included in the human right assessment in advance of issuing an export license. Careful consideration will therefore have to be given to the effectiveness of the EU’s Regulation before efforts are made to internationalise it. CDT will be engaging in this area and will produce recommendations along these lines next year. 

The Perils of Pervasive Surveillance

The report also importantly draws attention to the cumulative adverse effects of pervasive surveillance, when data and information is collected from publicly available online sources, as well as from public spaces. There is a worrying global trend of the expansion of unlawful surveillance both by states and private actors. Such deep interference with the right to privacy can have a profound negative impact on democracy, free expression and the enjoyment of many other human rights. This is why, the report recalls, any interference with the right to privacy, whether that be hacking, restrictions to access and use of encryption technology or surveillance of the public, must comply with international human rights law. This means the principles of legality, legitimate aim, necessity and proportionality and non-discrimination must be systematically applied. 

CDT welcomes this landmark report and calls on states and private companies to swiftly implement its recommendations.