(Geneva) - Governments should promote the use of strong encryption and protect anonymous expression online. In an era of unprecedentedly broad and intrusive government surveillance, these tools often offer the only safe way for people in repressive environments to express themselves freely.
On June 17, 2015, the United Nations special rapporteur on freedom of expression presented his report on the use of encryption and anonymity in digital communication to the UN Human Rights Council. The special rapporteur recognized that encryption and anonymity, as leading instruments for online security, enable people to exercise their rights to freedom of opinion and expression and the right to privacy in the digital age. The report urged countries to ensure that people are free to protect the privacy of digital communications by using strong encryption and anonymity tools.
“Strong encryption and anonymity are critical for protecting human rights defenders, journalists, and ordinary users in the digital age,” said Cynthia Wong, senior Internet researcher at Human Rights Watch. “Encryption allows us to preserve a safe, private space for free expression at a time when governments are expanding invasive surveillance worldwide.”
Human Rights Watch and 25 other human rights and media freedom organizations released a joint statement on June 17 urging countries to adopt the report’s recommendations.
Digital technologies have enabled intrusive surveillance on an unprecedented scope and scale. Such surveillance allows governments to identify journalistic sources, government critics, or members of persecuted minority groups and expose them to reprisals. Ordinary users also face a range of online dangers, from abusive surveillance to victimization by cybercriminals and other malicious actors. The special rapporteur recognized that strong encryption and anonymity defends Internet users from such threats and creates a “zone of privacy to protect opinion and belief” and other rights.
In recent years, many governments have sought to restrict access to strong encryption or limit anonymity online in the name of national security and public order. Russia and China have imposed real-name registration requirements on social media users or bloggers, limiting anonymous expression. The Chinese government is also considering new regulations to require technology companies to build “back doors” into hardware and software and has begun blocking encrypted web traffic.
Government officials in the US and UK have expressed concern that increased use of encryption on social media services or mobile devices will make it more difficult to prevent terrorism. These officials have accused Internet companies of creating “zones of lawlessness” and “dark places” where terrorists and criminals can flourish because some communications may not be accessible to law enforcement. Prime Minister David Cameron of the UK has pledged to ensure that no communications will be unreachable by its security services, suggesting that applications that do not comply with access requirements might be banned. Other officials in the US and UK have urged technology companies on install back doors or other vulnerabilities to allow law enforcement to circumvent protections.
Governments have an obligation to investigate and prosecute crimes and prevent terrorist attacks. But as the special rapporteur confirmed, “In the contemporary technological environment, intentionally compromising encryption, even for arguably legitimate purposes, weakens everyone’s security online.”
Human rights defenders, journalists, and ordinary users rely on encryption, often implemented by the private sector, to secure their communications, Human Rights Watch said. Back doors and other vulnerabilities cannot be kept secret from bad actors with the skills to exploit such weaknesses, disproportionately undermining human rights. Technical security experts confirm that mandates that require companies to introduce intentional vulnerabilities into secure products also undermine cybersecurity.
Countries should support the report’s recommendations, Human Rights Watch and the other groups said:
- Countries should promote and comprehensively protect strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption and anonymity tools.
- Countries should avoid all measures that weaken security for individuals online, such as mandated "back doors," weak encryption standards, or key escrow arrangements. Requiring technology companies to build vulnerabilities into secured products unavoidably and disproportionately undermines the security for all users of that product.
- Any restrictions on encryption or anonymity should be targeted on a case-specific basis and should be limited to only what is necessary and proportionate for a legitimate aim.
- Countries should not impose blanket prohibitions on encryption and anonymity, as they are neither necessary nor proportionate. Some forms of regulation may, in practice, amount to a blanket prohibition and should not be adopted – for example, requiring licenses for encryption, mandating weak technical standards for encryption, or controlling the import or export of encryption tools.
- Countries should refrain from making identification of users (that is, real-name registration) a condition for access to online services or SIM card registration for mobile users. Countries should also refrain from limiting access to anonymity tools.
The special rapporteur has also called on the private sector to review their practices and ensure respect for human rights norms. The security practices of information and communications technology companies can significantly promote or compromise encryption and anonymity, along with user rights, online. These companies have a responsibility to respect the human rights of their users, including when faced with demands from governments to undermine the security of their users and restrict privacy online, Human Rights Watch said.
Technology companies should employ strong encryption and support anonymous communication across digital products and services. Companies should also resist government requests to weaken the security of online services and devices and oppose real name registration requirements.
“This report directly challenges the claim of some governments that encryption is primarily a tool for terrorists and criminals by illustrating how important it is to a range of human rights,” Wong said. “As a first step, governments should repeal real name registration requirements and stop trying to force companies to build in back doors that weaken security online.”