Testimony on Human Rights and Encryption (may 18, 1999)

Links

Cryptography - GILC Resources

Crypto -CDT's Resources

Testimony on Human Rights and Encryption before the House Subcommittee on International Economic Policy and Trade Tuesday, May 18, 1999

I am Dinah PoKempner, deputy general counsel of Human Rights Watch, and I am grateful to the House Subcommittee on International Economic Policy and Trade for the opportunity to testify on encryption and its importance to human rights protection worldwide. Human Rights Watch is one of the largest human rights monitoring organizations in the world, deploying researchers to more than seventy countries worldwide to report on serious violations of international human rights and humanitarian law. We are a non-profit group that does not accept any government funding.

Our interest in encryption policy is longstanding and direct: Human Rights Watch was founded to uphold basic rights such as free expression, and we use encryption to protect our researchers and our human rights colleagues around the world when they communicate sensitive information on grave abuses of rights. We have participated as an amicus in the landmark Bernstein and Junger litigation and we are a founding member of the Global Internet Liberty Campaign, a consortium of non-governmental organizations dedicated to preserving freedom of expression and privacy in cyberspace.

Human Rights Applications of Encryption

The debate on policy has often referenced the utility of encryption to terrorists, on the one hand, and electronic businesses, on the other. Less often heard is the importance of encryption to those who risk their lives to expose and prevent human rights abuses, and it is this aspect of encryption I will discuss.

The Internet revolution has changed the world of human rights advocacy irrevocably. Where before it might have taken years for the outside world even to learn that mass murder had taken place (for example, Cambodia sealed off during the Khmer Rouge era), now documentation of abuses can be communicated in a matter of minutes from any point on earth. Until recently, repressive governments easily suppressed reports of their abuses; now banned newspapers and radio stations can take to the Web and find mirrors if governments try to block their sites. Activists would often struggle for years in isolation from colleagues in other countries; now global networks can tackle intransigent problems such as trafficking in children or the oppression of women living under Muslim law. The Internet has made human rights reportage, once available only to a relatively narrow audience, capable of inexpensive mass dissemination. As a consequence, such reporting has become a tool to mobilize popular opinion and action as never before.

The promise that the computer age holds for human rights is limited by the fact that electronic communications are highly vulnerable to interception, and this may have deadly consequences for those who would expose abuses of state power. Every year human rights proponents are attacked, jailed, disappeared and murdered, as we document in our annual World Report; in the first ten months of 1998, at least ten such killings took place. Victims of abuse are vulnerable to reprisal if they dare to report their suffering and incriminate their persecutors.

For these reasons, our organization's researchers regularly use encryption to ensure the confidentiality and integrity of their reports when they conduct field missions in places such as Bosnia, China, Lebanon, Rwanda, or Kashmir, and communicate their findings back to our headquarters. We often interview eyewitnesses to atrocities whose lives would be endangered were their identities discovered. Encryption allows us to transmit our data securely, and if necessary store it without fear it will fall into the wrong hands. It has been standard practice for communications to be encrypted between our headquarters and field posts in sensitive locations such as Kigali, Kosovo, Belgrade or Hong Kong. When our researchers gather evidence of atrocities and abuses, they encrypt their notes, transmit them as soon as possible, and delete them from the computers they carry. These precautions have proven invaluable.

On May 8, 1998, one of our researchers was arrested at the Kinshasa airport and detained for twenty four hours after having conducted a three-week human rights investigation for which he had been granted a visa. Investigators who wished to learn his contacts and sources of information threatened to beat him. Fortunately, he had encrypted his research notes, and was able to fend off threats until his release was secured.

We have learned of human rights activists in Belgrade who similarly have undergone threats and interrogation since the NATO bombing campaign began this year. In one case, the activist's computer was confiscated by police; fortunately the notes on abuses and governmental responsibility were encrypted.

Since 1993, the International Center for Research on Human Rights in Guatemala has collected about 6,500 interviews with witnesses and survivors of grave human rights violations, in addition to 15,000 cases from other sources. They entered this data into laptops, chosen so they could move the office quickly in the event that they had some notice before a death squad or army attack. These files were encrypted using Pretty Good Privacy or PGP, and unencrypted material was then wiped off the disk every night. Phil Zimmerman was present when the group presented its final report in January 1999 in Guatemala City and afterward, literally dozens of human rights activists thanked him personally for providing free strong cryptography. Some said that they thought that strong cryptography may have saved the lives of some witnesses. Guatemala's truth commission also encrypted its notes and e-mail; so too have field offices of United Nations organizations operating in perilous conditions.

Conversely, the lack of secure means of communicating or transporting data can have devastating consequences for human rights activists, as the following example illustrates.

In April 1998, the Democratic Republic of Congo arrested a member of the United Nations Secretary-General's Investigation Team who had been gathering evidence of massacres of Rwandan refugees in the former Zaire. When he was arrested in Kinshasa upon his return from the eastern part of the country, Congolese authorities meticulously copied his research notes as well as maps and reports entrusted to him by local human rights activists. This information incited a manhunt for the U.N. official's informants. Many went underground, to emerge later as refugees. One, Gallican Ntirivamunda, has disappeared and is presumed dead. He was a member of a group called The Grand Vision for Human Rights, which made detailed submissions to the United Nations on the massacres.

In contrast, a researcher we sent in 1997 to investigate these events took precautions to burn his notes every night after typing them into his laptop and encrypting them. His research, published as the report What Kabila is Hiding, was influential in encouraging the U.N. to pursue its own investigations of the massacres.

Other examples of reprisals that could have been averted with the help of encryption are easy to find, though few activists wish to publicize or emphasize security breaches. One need only look at the case of Lin Hai, the Shanghai entrepreneur who was sentenced to two years of imprisonment at a thirty minute trial for providing 30,000 e-mail addresses in China to a dissident on-line magazine produced in Washington.

Global Access to Encryption is Vital

As these examples illustrate, it is critical not only that U.S.-based human rights activists have access to encryption when they are abroad, but also that they can share encryption software with colleagues in repressive states who may then communicate securely. As someone who reported on human rights in Indochina for years, I can recall dozens of furtive conversations over monitored telephone lines with grassroots activists or political dissidents trying to verify the facts of crackdowns or impending arrests well enough to mobilize protest. Now imagine what a difference it would make if these eyewitnesses could communicate swiftly, fully and securely--if they could directly alert and answer the questions of members of this Congress.

Demand for encryption is strong among human rights activists and journalists, both in developed countries and countries where electronic communications are a recent introduction. African non-governmental organizations use it and are eager to learn more. Our organization has facilitated, with the financial assistance of a Swiss agency, a program to provide computers and training in use of cryptography to human rights monitors in Rwanda. Activists in China, Indonesia, East Timor and Malaysia use encryption to protect their communications regarding human rights abuses. A sampling of other groups that convened over the last year in Lagos and Dakar to exchange skills and training on encryption included organizations working in the Niger Delta who need to alert international counterparts to abuses they find, women's rights groups who wish to network with counterparts in Pakistan and other Muslim countries, and African activists who need secure communication lines to help provide testimony from victims and witnesses to the International Criminal Tribunal for Rwanda.

The conflict in Kosovo has created intense demand for secure communications, and serves as a case study of how export controls can complicate access. Computer privacy advocates at the Electronic Frontier Foundation (EFF) were concerned at the insecurity of existing electronic fora for Serbs and Kosovars who wanted to relate first-hand accounts of the hostilities. Secure communications in wartime are very useful, but especially difficult. People who are dodging bombs and security forces, and confronted with power interruptions or limitations in band width or connectivity, do not always have the time and technical ability to download and install complex programs such as PGP, much less master the program and exchange keys with their correspondents.

EFF teamed up with a private company, Anonymizer Inc., to solve this dilemma. In March of this year, Anonymizer launched a free service that provides persons in Yugoslavia and Kosovo a gateway to the Web that protects their identity, allowing them to anonymously access other sites and send encrypted e-mail. It is estimated that thousands are using it each day, many to relate eyewitness accounts of the war and search for relatives. Nevertheless, persons accessing the Anonymizer site are not necessarily safe from surveillance if they are using export-strength browsers. The Yugoslav government is thought to have sophisticated Russian technology for surveillance that would allow it to break 40-bit encryption in seconds. The Anonymizer provides a link to a site posting a software upgrade that persons with insecure browsers can use to fortify their security, but this, again, presumes that users have the time, resources and expertise to perform software customizing.

Strong encryption, such as the PGP program, is available worldwide, but restraints have inhibited both the sharing of compatible programs throughout the human rights community and the development of new encryption products for the mass market. Were mass-market strong encryption readily available worldwide, protection in times of crisis would be a reality for many more users. At present, human rights advocates in the most repressive countries are sometimes hesitant to use encryption simply because this unusual technology would itself call attention to their activities and bring reprisal; this problem will be solved when strong encryption in software and hardware becomes a ubiquitous feature of electronic communications. Loosening the U.S. export regime will bring that day closer.

The loosening of export controls is likely to spur the development of cryptography products, which is another step necessary for this technology to yield its full potential. Programs such as PGP are not difficult to use, but they do require a basic level of familiarity and expertise with computers. Programs that allow users not only to encrypt their communications but also hide the fact of their encryption (e.g. steganography) exist, but are difficult to use. Alas, the universe of human rights activists who are also computer adepts is extremely small. As demand grows for exportable products, it is likely that more mass-market, user-friendly systems will develop, and this will also make the use of encryption more ubiquitous and normal.

U.S. Policies in a Global Context

A global leader must think globally when it acts locally. Whatever regulatory framework the United States adopts for encryption will be studied abroad and is likely to be highly influential as other nations frame their own policies. Our domestic policies will also frame whether this country stands in a position to protest the suppression of human rights workers and the denial of secure communications to those living under governments that deny the fundamental freedom to seek, receive and impart information.

Given that there is little consensus domestically on the need to limit the strength of mass market encryption or impose key recovery systems on commercial encryption, it is particularly disturbing that the administration has vigorously pursued exporting such policies abroad. One such forum where it has done so is the Wassenaar Arrangement, a group of thirty-three member states that agree to adhere to common guidelines in discretionary export policies on conventional armaments and certain "dual use" items, including cryptography. Largely due to United States pressure, its secretariat announced in December 1998 new guidelines that would authorize restrictions on the export of most commercial cryptography products above a 56 or 64-bit strength. While United States and United Kingdom demands for key recovery features for exportable cryptography were not adopted, there is no indication the United States has given up this position and will not continue to press for it.

National Security and Fundamental Freedoms

The human rights community should not ignore that cryptography, like any new technology, poses genuine challenges to law enforcement. Neither should the law enforcement community ignore the important role that cryptography has played in protecting human life, exposing governmental abuse, and preserving the growth of democratic institutions.

In evaluating what, if any, restrictions are necessary to apply to cryptography, we must question who is actually deterred by export controls in force in the United States -- human rights activists and other law abiding citizens seeking to protect their basic rights, or the most dangerous types of criminal syndicates who have every reason to seek out and use strong encryption, regardless of its legality? Likewise, proposals that involve key recovery regimes must be scrutinized for whether they would actually protect against crime or open the door to new crimes given the potential for keys to be misused or transferred into unsafe hands.

What is at stake is more than abstract principle against the tangible reality of terrorism and other crime. It is the lives of men and women who assume tremendous risks in exposing atrocities, preserving human dignity, and demanding that abusers be brought to account. It is the beginning of a mass culture of human rights that may in the end prove a potent antidote to the diffuse and novel threats of a new technical age.

Related Material

Canadian Crypto Policies
No Breakthrough Yet on International Human Rights
HRW Press Release, October 5, 1998

Crypto Controls Threaten Human Rights
(HRW Press Release, September 18, 1998)

Encryption In The Service Of Human Rights
A congressional briefing, August 1, 1997

Free Expression on the Internet