Human rights and encryption
Human rights applied to encryption is an important concept for freedom of expression as encryption is a technical resource of implementation of basic human rights.
With the evolution of the digital age, application of freedom of speech becomes more controversial as new means of communication and restrictions arise including government control or commercial methods putting personal information to danger. From a human rights perspective, there is a growing awareness that encryption is an important piece of the puzzle for realizing a free, open and trustworthy Internet.[1]
Human rights are moral principles or norms that describe certain standards of human behavior, and are regularly protected as legal rights in municipal and international law.[2] They are commonly understood as inalienable[3] fundamental rights "to which a person is inherently entitled simply because she or he is a human being",[4] and which are "inherent in all human beings"[5] regardless of their nation, location, language, religion, ethnic origin or any other status.[3] They are applicable everywhere and at every time in the sense of being universal,[2] and they are egalitarian in the sense of being the same for everyone.[3]
Cryptography is a long-standing subject in the field of mathematics, computer science and engineering. It can generally be defined as "the protection of information and computation using mathematical techniques."[6] In the OECD Guidelines, Encryption and cryptography are defined as follows: "Encryption" means the transformation of data by the use of cryptography to produce unintelligible data (encrypted data) to ensure its confidentiality. Cryptography" means the discipline which embodies principles, means, and methods for the transformation of data to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation, and/or prevent its unauthorized use.[7] encryption and cryptography are "often used synonymously, although "cryptographic" has a broader technical meaning. For example, a digital signature is "cryptographic" but arguably it is not technically "encryption"".[8][1]
The human rights aspects related to the availability and use of a technology of particular significance for the field of information and communication is recognised in many places. Freedom of expression is recognized as a human right under article 19 of the Universal Declaration of Human Rights and recognized in international human rights law in the International Covenant on Civil and Political Rights (ICCPR). Article 19 of the UDHR states that "everyone shall have the right to hold opinions without interference" and "everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice".[9]
Overview
Since the 1970s, the availability of digital computing and the invention of public key cryptography has made encryption more widely available. Previously, strong versions of encryption were the domain of nation state actors. However, since the year 2000, cryptographic techniques have been widely deployed by a variety of actors to ensure personal, commercial and public sector protection of information and communication. Cryptographic techniques are also used to protect anonymity of communicating actors and protecting privacy more generally. The availability and use of encryption continues to lead to complex, important and highly contentious legal policy debates. There are government statements and proposals on the need to curtail such usage and deployment in view of the potential hurdles it could present for access by government agencies. The rise of commercial services offering end-to-end encryption and the calls for restrictions and solutions in view of law enforcement access are pushing towards more and more debates around the use of encryption and the legal status of the deployment of cryptography more generally.[1]
Encryption, as defined above, refers to a subset of cryptographic techniques for the protection of information and computation. The normative value of encryption, however, is not fixed but varies with the type of cryptographic method that is used or deployed and for which purposes. Traditionally, encryption (cypher) techniques were used to ensure the confidentiality of communications and prevent access to information and communications by others than intended recipients. Cryptography can also ensure the authenticity of communicating parties and the integrity of communications contents, providing a key ingredient for enabling trust in the digital environment.[1]
There is a growing awareness within human rights that encryption plays an important role in realizing a free, open and trustworthy Internet. UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye observed, during the Human Rights Council in June 2015, that encryption and anonymity deserve a protected status under the rights to privacy and freedom of expression:
"Encryption and anonymity, today's leading vehicles for online security, provide individuals with a means to protect their privacy, empowering them to browse, read, develop and share opinions and information without interference and enabling journalists, civil society organizations, members of ethnic or religious groups, those persecuted because of their sexual orientation or gender identity, activists, scholars, artists and others to exercise the rights to freedom of opinion and expression."[10][1]
Encryption in media and communication
Two types of encryption in media and communication can be distinguished:
- Encryption in media and communication could be used as a result of choice of a service provider or deployed by Internet users. Client-side encryption tools and technologies are relevant for marginalized communities, journalists and other online media actors practicing journalism as it becomes a way of protecting their rights.
- Encryption provided by service providers can prevent unauthorized third party access, but the service provider implementing it would still have access to the relevant user data. End-to-end encryption is an encryption technique that refers to encryption that also prevents service providers themselves from having access to the user's communications. The implementation of these forms of encryption have sparked the most debate since the year 2000.[1]
Service provider deployed techniques to prevent unauthorized third-party access
Amongst the most widely deployed cryptographic techniques is securing the communications channel between internet users and specific service providers from man-in-the-middle attacks, access by unauthorized third parties. These cryptographic techniques must be run jointly by a user and the service provider to work. This means that they require service providers, such as an online news publisher or a social network, to actively integrate them into service design and implementation. Users cannot deploy these techniques unilaterally; their deployment is contingent on active participation by the service provider. The TLS protocol, which becomes visible to the normal internet user through the HTTPS header, is widely used for securing online commerce, e-government services and health applications as well as devices that make up networked infrastructures, e.g., routers, cameras. However, although the standard has been around since 1990, the wider spread and evolution of the technology has been slow. As with other cryptographic methods and protocols, the practical challenges related to proper, secure and (wider) deployment are significant and have to be considered. Many service providers still do not implement TLS or do not implement it well.
In the context of wireless communications, the use of cryptographic techniques that protect communications from third parties are also important. Different standards have been developed to protect wireless communications: 2G, 3G and 4G standards for communication between mobile phones, base stations and base stations controllers; standards to protect communications between mobile devices and wireless routers ('WLAN'); and standards for local computer networks.[11] One common weakness in these designs is that the transmission points of the wireless communication can access all communications e.g., the telecommunications provider. This vulnerability is exacerbated when wireless protocols only authenticate user devices, but not the wireless access point.[1]
Whether the data is stored on a device, or on a local server as in the cloud, there is also a distinction between 'at rest'. Given the vulnerability of cellphones to theft for instance, particular attention may be given to limiting service provided access. This does not exclude the situation that the service provider discloses this information to third parties like other commercial entities or governments. The user needs to trust the service provider to act in its interests. The possibility that a service provider is legally compelled to hand over user information or to interfere with particular communications with particular users, remains.[1]
Privacy Enhancing Technologies
There are services that specifically market themselves with claims not to have access to the content of their users' communication. Service Providers can also take measures that restrict their ability to access information and communication, further increasing the protection of users against access to their information and communications. The integrity of these Privacy Enhancing Technologies (PETs), depends on delicate design decisions as well as the willingness of the service provider to be transparent and accountable.[2] For many of these services, the service provider may offer some additional features (besides the ability to communicate), for example contact list management—meaning that they can observe who is communicating with whom—but take technical measures so that they cannot read the contents of the messages. This has potentially negative implications for users, for instance, since the service provider has to take action to connect users who want to communicate using the service, it will also have the power to prevent users from communicating in the first place.[1]
Following the discovery of vulnerabilities, there is a growing awareness that there needs to be more investment in the auditing of widely used code coming out of the free and open software community. The pervasiveness of business models that depend on collection and processing of user data can be an obstacle for adopting cryptographic mechanisms for protecting information at rest. As Bruce Schneier, has stated:[12]
"[s]urveillance is the business model of the Internet. This has evolved into a shockingly extensive, robust, and profitable surveillance architecture. You are being tracked pretty much everywhere you go on the Internet, by many companies and data brokers: ten different companies on one site, a dozen on another."[12] Cryptographic methods play a key role in online identity management.[12]
Digital credential systems can be used to allow anonymous yet authenticated and accountable transactions between users and service providers, and can be used to build privacy preserving identity management systems.[13][1]
End-user and community-driven encryption and collaborative services
The Internet allows end-users to develop applications and uses of the network without having to coordinate with the relevant internet service providers. Many of the available encryption tools are not developed or offered by traditional service providers or organizations but by experts in the free and open software (FOSS) and Internet engineering communities. A major focus of these initiatives is to produce Privacy Enhancing Technologies (PETs) that can be unilaterally or collaboratively deployed by interested users who are ready, willing, and able to look after their own privacy interests when interacting with service providers. These PETs include standalone encryption applications as well as browser add-ons that help maintain the confidentiality of web-based communications or permit anonymous access to online services. Technologies such as keystroke loggers can intercept content as it is entered before encryption is applied, thereby falling short of offering protection. Hacking into information systems and devices to access data at or after the moment of decryption may have the same effect.[1]
Multi-party computation (MPC) techniques are an example of Collaboration|collaborative solutions that allow parties, e.g. NGOs with sensitive data, to do data analytics without revealing their datasets to each other. All of these designs leverage encryption to provide privacy and security assurances in the absence of a trustworthy centralized authority.[1]
There are many developments in the implementations of crypto-currencies using blockchain protocols. These systems can have many benefits and these protocols can also be useful for novel forms of contracts and electronic attestation, useful aids when legal infrastructure are not readily available. As to the protection of privacy related to payments, it is a common misconception that the cryptographic techniques that are used in Bitcoin ensure anonymous payments. The only protection offered by Bitcoin is pseudonymity.[14]
The cryptographic protection of metadata
The availability of metadata (the information relating to a user's information and communications behavior) can pose a particular threat to users including information that can be observed by service providers through the provisioning of services: when, how frequently, how long, and with whom users are communicating. Metadata can also be used to track people geographically and can interfere with their ability to communicate anonymously. As noted by the Berkman Center report, metadata is generally not encrypted in ways that make it inaccessible for governments, and accordingly "provides an enormous amount of surveillance data that was unavailable before [internet communication technologies] became widespread."[15] To minimize exposure of meaningful metadata, encryption tools may need to be used in combination with technologies that provide communication anonymity.
The Onion Router
The Onion Router, most commonly known as Tor, offers the ability to access websites and online services anonymously. Tor requires a community of volunteers to run intermediary proxies which channel a user's communication with a website so that third parties cannot observe who the user is communicating with. Through the use of encryption, each proxy is only aware of part of the communication path meaning that none of the proxies can by itself infer both the user and the website she is visiting. Besides protecting anonymity, Tor is also useful when the user's ISP blocks access to content.[1] This is similar as the protection that can be offered by a VPN. Service providers, such as websites, can block connections that come from the Tor network. Because certain malicious traffic may reach service providers as Tor traffic and because Tor traffic may also interfere with the business models, service providers may have an incentive to do so. This interference can prevent users from using the most effective means to protect their anonymity online. The Tor browser allows users to obfuscate the origin and end-points of their communications when they communicate on the internet.[1]
Obfuscation
Obfuscation, the automated generation of "fake" signals that are indistinguishable from users' actual online activities, providing users with a noisy "cover" under which their real information and communication behavior remains unobservable. Obfuscation has received more attention as a method to protect users online recently. TrackMeNot is an obfuscation tool for search engine users: the plugin sends fake search queries to the search engine, affecting the ability of the search engine provider to build an accurate profile of the user. Although TrackMeNot and other search obfuscation tools have been found to be vulnerable to certain attacks that allow search engines to distinguish between user-generated and computer-generated queries, further advances in obfuscation are likely to play a positive role in protecting users when disclosure of information is inevitable, as in the case of search or location-based services.[1]
Cryptography, law and human rights
Restrictions on cryptographic techniques
Recent incidents of terrorism have led to further calls for restrictions on encryption.[16] Even though, in the interest of public safety, there are many proposals to interfere with the free deployment of strong encryption, these proposals do not hold against close scientific scrutiny. These proposals side-step a more fundamental point, related to what is at stake for users. More advanced security measures seem necessary for governments, considering the existing threat landscape for users of digital communications and computing.[16]
While many governments consider that encryption techniques could present a hurdle in the investigation of crime and the protection of national security, certain countries, such as Germany or the Netherlands have taken a strong position against restrictions on encryption on the Internet.[17] In 2016, the Ministers of the Interior of France and Germany have jointly stated the need to work on solutions for the challenges law enforcement can face as a result of end-to-end encryption, in particular when offered from a foreign jurisdiction.[18] In a joint statement, the European Agency for Network and Information Security (ENISA) and Europol have also taken a stance against the introduction of backdoors in encryption products.[19] In addition, restrictions would have serious detrimental effects on cyber security, trade and e-commerce.[20][1]
Encryption and the law: the broader landscape
Privacy and data protection legislation is closely related to the protection of human rights. There are now more than 100 countries with data protection laws.[21] One of the key principles for the fair and lawful processing of personal information regulated by data protection laws is the principle of security. This principle implies that proper security measures are taken to ensure the protection of personal data against unlawful access by others than intended recipients.[1] The European Union General Data Protection Regulation, which was adopted in 2016 and will enter in to force in 2018, contains an advanced set of rules with respect to the security of personal data.[1]
Encryption can be a safeguard against personal data breaches for the UN, as it can facilitate the implementation of privacy and data protection by design.[1] Cryptography has also been an essential ingredient for establishing the conditions for e-Commerce over the Internet. The OECD Principles were adopted to ensure that national cryptography policy would not interfere with trade and to ensure the conditions for international developments in e-Commerce.[1]
International cryptography policy and human rights
The policy debate about encryption has a significant international dimension because of the international nature of the communications networks and the Internet as well as trade, globalization and the national security dimensions. The OECD adopted a Recommendation Concerning Guidelines for Cryptography Policy on March 27, 1997. There are three components to this policy intervention of the OECD, which is primarily aimed at its Member Countries: a recommendation of the OECD Council, Guidelines for Cryptography Policy (as an Annex to the Recommendation) and a Report on Background and Issues of Cryptography Policy to explain the context for the Guidelines and the basic issues involved in the cryptography law and policy debate. The Principle most explicit about the connection to human rights is Principle 5 on the Protection of Privacy and Personal Data: "The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods."[1]
UNESCO, after consulting stakeholders, identified encryption as a relevant element for policy on privacy and freedom of expression. The Keystones Report (2015) articulates that "to the extent that our data can be considered representative of ourselves, encryption has a role to play in protecting who we are, and in preventing abuse of user content. It also allows for greater protection of privacy and anonymity in transit by ensuring that the contents (and sometimes also the metadata) of communications are only seen by the intended recipient."[22] The report recognizes "the role that anonymity and encryption can play as enablers of privacy protection and freedom of expression", and proposes that UNESCO facilitate dialogue on these issues.[1]
The Necessary and Proportionate Principles developed and adopted by civil society actors stipulates the protection of the integrity of communications systems as one of its 13 principles.[23] The principles themselves do not provide for explicit guidance on specific cryptographic policy issues such as backdoors or restrictions on the deployment of encryption. The guidance that is offered by the OECD principles and the recent positions of the UN Rapporteur on Encryption state the importance of encryption for the protection of human rights. While it does not give a definitive answer to the question of whether a mandate for encryption backdoors is to be considered incompatible with international law, it does point in that direction. Generally, the available guidance at the international level clarifies that when limitations are imposed on encryption, relevant human rights guarantees have to be strictly observed.[1]
National level developments in selected countries
United States of America
There has been a broad, active and contentious policy debate on encryption in the US since the 1990s beginning with the 'Crypto Wars'. This involved the adoption of the Communications Assistance for Law Enforcement Act (CALEA), containing requirements for telecommunications providers and equipment manufacturers to ensure the possibility of effective wiretapping.[24] It also involved a debate over existing export controls on strong encryption products (considering their classification as munition) and a criminal investigation into cryptographic email software developer and activist Phil Zimmermann. The case was dropped and the general debate resolved after the liberalization of export controls on most commercial products with strong encryption features and the transfer of these items from the U.S.A. Munitions List (USML), administered by the Department of State, to the Commerce Control List (CCL), administered by the Department of Commerce.[25] The USA Department of Commerce maintains some controls over items on the CCL, including registration, technical reviews and reporting obligations, and continues to impose licensing and other requirements for sensitive encryption items and sales of such items to foreign governments.[1]
The debate ignited after the Edward Snowden revelations and the well-documented increase in deployed encryption measures by Internet services, device makers and users, as well as a concerted call from the technical community and civil society to increase encryption use and security to address mass surveillance practices.[26] The increased adoption of encryption by the industry has been received critically by certain government actors, the FBI in particular.[1] This led to the widely reported FBI–Apple encryption dispute over the possibility to gain access to information on the iPhone in assistance to law enforcement. In 2016, several bills were introduced in the US Congress that would place new limits encryption under USA law. The USA's legal system promotes and requires security measures to be implemented in the relevant contexts, including cryptographic methods of various kinds, to ensure security in commerce and trade. Relevant laws are the Federal Information Security Modernization Act (FISMA) of 2014, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) and also the Federal Trade Commission Act. These acts contain security requirements and thereby indirectly require or stimulate the use of encryption in certain circumstances. Finally, many state breach notification laws treat encrypted data as a safe harbor by exempting firms that have encrypted data from notice obligations.[1]
Constitutional considerations and human rights play a role of significance in the USA debate about the legal treatment of encryption methods. Restrictions on distribution of cryptographic protocols, and the publication of cryptographic methods are considered an interference with the First Amendment, the USA constitutional safeguard protecting freedom of expression.[1] The USA has particularly active and strongly developed civil society actors involved in cryptographic policy and practice.
The United States of America is a primary site for cryptology research and engineering, development and implementation of cryptographic service innovations. There is an active community of Non-Governmental Organizations engaged in the national and international debate on encryption policy.[27] The predominant interferences with strong encryption that take place or are being considered take place in the field of national security, law enforcement and Foreign Affairs. In this area and in answering the contentious question of whether and how lawful access to specific communications could be ensured, the US Government has internationally explained its policy as one aiming to ensure that 'responsibly deployed encryption' helps to "secure many aspects of our daily lives, including our private communications and commerce", but also "to ensure that malicious actors can be held to account without weakening our commitment to strong encryption".[1]
Germany
As part of the global debate on encryption in the late 1990s, a debate also took place in Germany about the need and legitimacy of imposing a general ban on the encryption of communications because of the impact on criminal investigations.[28] There were profound doubts concerning the constitutional legitimacy as well as concerns about negative factual consequences of such a ban.[28] In qualitative terms, a number of fundamental rights are considered to be affected by restrictions on encryption: the secrecy of telecommunications, expressions of the general right of personality and, indirectly, all communicative freedoms that are exercisable over the Internet.[29] The Federal Government set key points in 1999 for the German cryptographic policy which should especially provide confidence in the security of encryption instead of restricting it.[1] Besides the statements of the German Minister of the Interior towards possible future restrictions, Germany aligns with the position of the UN Special Rapporteur David Kaye and adopts policies of non-restriction or comprehensive protection and only adopts restrictions on a case-specific basis. In November 2015 governmental representatives as well as representatives of the private sector signed a "Charter to strengthen the trusted communication "(Charta zur Stärkung der vertrauenswürdigen Kommunikation) together, in which they stated: "We want to be Encryption Site No. 1 in the world".[30] The German Government has also used its foreign policy to promote international privacy standards.[1] In particular, Germany, in a joint effort with Brazil, committed itself in the Human Rights Council for the appointment of an UN Special Rapporteur on Privacy.[31] There are multiple examples of how there have been efforts by the government to implement encryption policy. They range from informal actions, to laws and regulations: The IT Security Act in 2015, the 'De-Mail' law. There are also several sector-specific rules for encryption and information security in Germany, like the Telecommunications Act (TKG). The German Constitutional Court has also provided valuable input for the international legal handling of encryption techniques with the IT basic right, with which, the constitutional court recognizes that parts of one's personality go into IT systems and therefore the applied protection has to travel with it.[1]
India
There are a number of limitations on the free deployment of encryption by electronic communications services despite the fact that Indian law and policy promotes and requires the implementation of strong encryption as a security measure, such as in banking, ecommerce and by organizations handling sensitive personal information.[1] There is notable legal uncertainty about the precise legal scope of these license requirements and to what extent they could have legal effect on (the use of or deployment of ) services by the end-users of covered services. The encryption debate ignited publicly in India in 2008 after the Government published a draft proposal with a number of envisioned limitations on the use of encryption. The policy, issued under Section 84A of the Indian Information Technology (Amendment) Act, 2008 was short-lived, but worries remain about the lack of safeguards for privacy and freedom of expression that the draft illustrated.[1] In response to the outcry, the Indian government first exempted "mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc." Soon thereafter, it withdrew the proposed policy and a new policy has not been made public yet.[1]
Section 84A of the Indian Information Technology (Amendment) Act, 2008 empowers the government to formulate rules on modes of encryption for the electronic medium. Legal commentators have noted the lack of transparency about what types of encryption use and deployment are permitted and required under Indian law, especially in the field of electronic communications services.[1] Thus, the Central Indian Government has, in theory, a broad exclusive monopoly over electronic communications which includes the privilege to provide telecommunication and Internet services in India.[1]
Brazil
After the Edward Snowden revelations in 2013, Brazil was at the forefront of a global coalition promoting the right to privacy at the UN and condemning USA mass surveillance. In recent events, Brazil has demonstrated diverse aims when it comes to the use and implementation of encryption. On the one side, the country is a leader in providing a legal framework of rules for the Internet.[1] But it has also taken several measures that may be seen to restrict the dissemination of encryption technology. In 2015, in a process that was open for public comments and discussions, Brazil's legislator drafted a new privacy bill ("proteção de dados pessoais"), which was sent to Brazil's Federal Congress on May 13, 2016 and came into force as Bill 5276 of 2016.[32] It regulates and protects personal data and privacy, including online practices and includes provisions for more secure methods such as encryption on the treatment of personal data. The law also addresses security issues and a duty for companies to report any attacks and security breaches. With the Marco Civil (2014), that introduces principles like neutrality, the Brazilian Civil Rights Framework for the Internet, Brazil was one of the first countries to ever introduce a law, that aims at combining all Internet rules in one bundle. Brazil has a well-established e-government model: The Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil).[33] Since 2010 ICP-Brasil certificates can be partly integrated in Brazilian IDs, which can then be used for several services like tax revenue service, judicial services or bank related services. In practice, the ICP-Brasil digital certificate acts as a virtual identity that enables secure and unique identification of the author of a message or transaction made in an electronic medium such as the web. Brazilian courts have taken a stance against encryption in private messaging services by repeatedly ordering the blocking of the messaging service WhatsApp.[34] Since it switched to a full end-to-end encryption, the service has been periodically blocked as a result of a court order in an attempt to make the company comply with demands for information.[1]
African countries
The African (Banjul) Charter on Human and People's Rights, was adopted in the context of the African Union in 1981.[35] A Protocol to the Charter, establishing the African Court on Human and Peoples' Rights was adopted in 1998 and came into effect in 2005. In the area of information policy, the African Union has adopted the African Union Convention on Cyber Security and Personal Data Protection.[36] The provisions on personal data protection in this Convention generally follow the European model for the protection of data privacy and contains a number of provisions on the security of personal data processing.[1] A civil society initiative has adopted a specific African Declaration on Internet Rights and Freedoms "to help shape approaches to Internet policy-making and governance across the continent".[37]
Northern Africa
Different countries in the North-African region have not seen a significant rise in legal actions aiming at the suppression of encryption in the transformations that started in 2011. Although legislation often dates back to before the transformations, the enforcement has become stricter since then. No difference in the position towards cryptography can be seen between the countries that had successful revolutions and went through regime changes and those that didn't.[1]
Tunisia has several laws that limit online anonymity.[1] Articles 9 and 87 of the 2001 Telecommunication Code ban the use of encryption and provide a sanction of up to five years in prison for the unauthorized sale and use of such techniques.[38]
In Algeria, users have legally needed authorization for the use of cryptographic technology from the relevant telecommunications authority ARPT (Autorité de Régulation de la Poste et des Télécommunications) since 2012.[39]
In Egypt, Article 64 of the 2003 Telecommunication Regulation Law states that the use of encryption devices is prohibited without the written consent of the NTRA, the military, and national security authorities.[40]
In Morocco, the import and export of cryptographic technology, be it soft- or hardware, requires a license from the government. The relevant law No. 53-05 (Loi n° 53-05 relative à l'échange électronique de données juridiques) went into effect in December 2007.[41]
East Africa
There are no specific provisions in effect in countries in the East-African region restricting the use of encryption technology. As in other African countries, the main reason given for State surveillance is the prevention of terroristic attacks. Kenya with its proximity to Somalia, has cited this threat for adopting restrictive actions. The country has recently fast-tracked a Computer and Cybercrime Law, to be adopted in the end of 2016.[42] In Uganda a number of laws and ICT policies have been passed over the past three years, none of them however deal with encryption. In 2016, following the Presidential Elections, the Ugandan government shut down social networks such as Twitter, Facebook and WhatsApp.[43]
West Africa
West-African countries neither limit the import or export of encryption technology, nor its use, most national and foreign companies still rely on the use of VPNs for their communication. Ghana recently introduced a draft law aiming at intercepting electronic and postal communications of citizens, to aid crime prevention. Section 4(3) of the proposed bill gives the government permission to intercept anyone's communication upon only receiving oral order from a public officer.[44] Recently the Nigerian Communications Commission has drafted a bill regarding Lawful Interception of Communications Regulations.[45] If passed, the bill allows the interception of all communication without judicial oversight or court order and forces mobile phone companies to store voice and data communication for three years. Furthermore, the draft plans to give the National Security Agency a right to ask for a key to decrypt all encrypted communication.[1]
Southern Africa
Users in South Africa are not prohibited from using encryption.[46] The provision of such technology, however, is strictly regulated by the Electronic Communications and Transactions Act, 2002.[47]
Central Africa
Countries in Central Africa, like the Democratic Republic of Congo, the Central African Republic, Gabon and Cameroon do not yet have a well-developed legal framework addressing Internet policy issues. The Internet remains a relatively unregulated sphere.[1]
Human rights legal framework related to cryptography
International instruments
While a very broad range of human rights is touched upon by Digital Technologies, the human rights to freedom of expression (Art. 19 International Covenant on Civil and Political Rights [ICCPR]) and the right to private life (Art. 17 ICCPR) are of particular relevance to the protection of cryptographic methods. Unlike the Universal Declaration of Human Rights (UDHR) which is international 'soft law', the ICCPR is a legally binding international treaty.[48]
Restrictions on the right to freedom of expression are only permitted under the conditions of Article 19, paragraph 3. Restrictions shall be provided for by law and they shall be necessary (a) for the respect of the rights or reputations of others or (b) for the protection of national security or of public order or of public health or morals.[1] A further possibility for restriction is set out in Art. 20 ICCPR,[49] In the context of limitations on cryptography, restrictions will most often be based on Article 19 (3)(b), i.e. risks for national security and public order. This raises the complex issue of the relation, and distinction, between security of the individual, e.g. from interference with personal electronic communications, and national security. The right to privacy[50] protects against 'arbitrary or unlawful interference' with one's privacy, one's family, one's home and one's correspondence. Additionally, Article 17(1) of the ICCPR protects against 'unlawful attacks' against one's honor and reputation.[1] The scope of Article 17 is broad. Privacy can be understood as the right to control information about one's self.[51] The possibility to live one's life as one sees fit, within the boundaries set by the law, effectively depends on the information which others have about us and use to inform their behavior towards us. That is part of the core justification for protecting privacy as a human right.[1]
In addition to the duty to not infringe these rights, States have a positive obligation to effectively ensure the enjoyment of freedom of expression and privacy of every individual under their jurisdiction.[52] These rights may conflict with other rights and interests, such as dignity, equality or life and security of an individual or legitimate public interests. In these cases, the integrity of each right or value must be maintained to the maximum extent, and any limitations required for balancing have to be in law, necessary and proportionate (especially least restrictive) in view of a legitimate aim (such as the rights of others, public morals and national security).[1]
Guaranteeing "uninhibited communications"
Encryption supports this mode of communication by allowing people to protect the integrity, availability and confidentiality of their communications.[1] The requirement of uninhibited communications is an important precondition for freedom of communication, which is acknowledged by constitutional courts e.g. US Supreme Court[53] and the German Bundesverfassungsgericht[54] as well as the European Court of Human Rights.[55] More specifically, meaningful communication requires people's ability to freely choose the pieces of information and develop their ideas, the style of language and select the medium of communication according to their personal needs. Uninhibited communication is also a precondition for autonomous personal development. Human beings grow their personality by communicating with others.[56] UN's first Special Rapporteur on Privacy, professor Joe Cannataci, stated that "privacy is not just an enabling right as opposed to being an end in itself, but also an essential right which enables the achievement of an over-arching fundamental right to the free, unhindered development of one's personality".[57] In case such communication is inhibited, the interaction is biased because a statement does not only reflect the speaker's true (innermost) personal views but can be unduly influenced by considerations that should not shape communication in the first place.[1] Therefore, the process of forming one's personality through social interaction is disrupted. In a complex society freedom of speech does not become reality when people have the right to speak. A second level of guarantees need to protect the precondition of making use of the right to express oneself. If there is the risk of surveillance the right to protect one freedom of speech by means of encryption has to be considered as one of those second level rights. Thus, restriction of the availability and effectiveness of encryption as such constitutes an interference with the freedom of expression and the right to privacy as it protects private life and correspondence. Therefore, it has to be assessed in terms of legality, necessity and purpose.[1]
Procedures and transparency
Freedom of expression and the right to privacy (including the right to private communications) materially protect a certain behavior or a personal state.[1] It is well established in fundamental rights theory that substantive rights have to be complemented by procedural guaranties to be effective.[58] Those procedural guarantees can be rights such as the right to an effective remedy. However, it is important to acknowledge that those procedural rights must, similar to the substantive rights, be accompanied by specific procedural duties of governments without which the rights would erode. The substantial rights have to be construed in a way that they also contain the duty to make governance systems transparent, at least to the extent that allows citizens to assess who made a decision and what measures have been taken. In this aspect, transparency ensures accountability. It is the precondition to know about the dangers for fundamental rights and make use of the respective freedoms.[1]
Security intermediaries
The effectuation of human rights protection requires the involvement of service providers. These service providers often act as intermediaries facilitating expression and communication of their users of different kinds.[59] In debates about cryptographic policy, the question of lawful government access – and the conditions under which such access should take place in order to respect human rights – has a vertical and national focus. Complexities of jurisdiction in lawful government access are significant and present a still unsolved puzzle. In particular, there has been a dramatic shift from traditional lawful government access to digital communications through the targeting of telecommunications providers with strong local connections, to access through targeting over-the-top services with fewer or loose connections to the jurisdictions in which they offer services to users. In which cases such internationally operating service providers should (be able to) hand over user data and communications to local authorities. The deployment of encryption by service providers is a further complicating factor.[1]
From the perspective of service providers, it seems likely that cryptographic methods will have to be designed to account for only providing user data on the basis of valid legal process in certain situations. In recent years, companies and especially online intermediaries have found themselves increasingly in the focus of the debate on the implementation of human rights.[60] Online intermediaries[56] not only have a role of intermediaries between Content Providers and users but also one of "Security Intermediaries" in various aspects. Their practices and defaults as regards encryption are highly relevant to the user's access to and effective usage of those technologies. Since a great amount of data is traveling through their routers and is stored in their clouds, they offer ideal points of access for the intelligence community and non-state actors. Thus, they also, perhaps involuntarily, function as an interface between the state and the users in matters of encryption policy. The role has to be reflected in the human rights debate as well, and it calls for a comprehensive integration of security of user information and communication in the emerging Internet governance model of today.[1]
Internet universality
Human rights and encryption: obligations and room for action
UNESCO is working on promoting the use of legal assessments based on human rights in cases of interference with the freedom to use and deploy cryptographic methods.[1] The concept of Internet Universality, developed by UNESCO, including its emphasis on openness, accessibility to all, and multi-stakeholder participation. While these minimal requirements and good practices can be based on more abstract legal analysis, these assessments have to be made in specific contexts. Secure authenticated access to publicly available content, for instance, is a safeguard against many forms of public and private censorship and limits the risk of falsification. One of the most prevalent technical standards that enables secure authenticated access is TLS. Closely related to this is the availability of anonymous access to information. TOR is a system that allows the practically anonymous retrieval of information online. Both aspects of access to content directly benefit the freedom of thought and expression. The principle of legal certainty is vital to every juridical process that concerns cryptographic methods or practices. The principle is essential to any forms of interception and surveillance, because it can prevent unreasonable fears of surveillance, such as when the underlying legal norms are drafted precisely. Legal certainty may avert chilling effects by reducing an inhibiting key factor for the exercise of human rights, for UNESCO.[1] Continuous innovation in the field ofcryptography and setting and spreading new technical standards is therefore essential. Cryptographic standards can expire quickly as computing power increases . UNESCO has outlined that education and continuous modernization of cryptographic techniques are important.[1]
Human rights and cryptographic techniques
Risks | Relevant services adoption of cryptographic solutions | Good practices |
---|---|---|
Technical restrictions on access to content (blocking) | Cloud storage providers | Secure authenticated access to publicly available content |
Interception | Internet connectivity provider | Legal certainty |
Hacking by state and non-state actors | Publisher sites | Transparency about interferences |
Traffic analysis and surveillance | Messenger and communication services | Availability of end-to-end secure communications |
Interference with the reliability or authenticity of content | Browsers | Availability of anonymous access |
Education, including media and information literacy | ||
Standards and innovation |
Legality of limitations
The impact of human rights can only be assessed by analyzing the possible limitations that states can set for those freedoms. UNESCO states that national security can be a legitimate aim for actions that limit freedom of speech and the right to privacy, but it calls for actions that are necessary and proportional.[1] "UNESCO considers an interference with the right to encryption as a guarantee enshrined in the freedom of expression and in privacy as being especially severe if: • It affects the ability of key service providers in the media and communications landscape to protect their users' information and communication through secure cryptographic methods and protocols, thereby constituting the requirement of uninhibited communications for users of networked communication services and technologies. • The state reduces the possibility of vulnerable communities and/or structurally important actors like journalists to get access to encryption; • Mere theoretical risks and dangers drive restrictions to the relevant fundamental rights under the legal system of a state;• The mode of state action, e.g. if restrictions on fundamental rights are established through informal and voluntary arrangements, lead to unaccountable circumvention or erosion of the security of deployed cryptographic methods and technologies."[1]
Sources
See also
- Free speech
References
- Wolfgang, Schulz; van Hoboken, Joris (2016). Human rights and encryption. http://unesdoc.unesco.org/images/0024/002465/246527e.pdf: UNESCO. ISBN 978-92-3-100185-7.CS1 maint: location (link)
- James Nickel, with assistance from Thomas Pogge, M.B.E. Smith, and Leif Wenar, December 13, 2013, Stanford Encyclopedia of Philosophy, Human Rights. Retrieved August 14, 2014
- The United Nations, Office of the High Commissioner of Human Rights, What are human rights?. Retrieved August 14, 2014
- Sepúlveda et al. 2004, p. 3 Archived 2012-03-28 at the Wayback Machine [1]
- Burns H. Weston, March 20, 2014, Encyclopædia Britannica, human rights. Retrieved August 14, 2014
- Gürses, Seda; Preneel, Bart (2016). Cryptology and Privacy, In: Van Der Sloot, Broeders and Schrijvers (eds.), Exploring the Boundaries of Big Data. Netherlands Scientific Council for Government Policy.
- OECD guidelines
- Ed Felten. Software backdoors and the White House NSA panel report. December 2013, https://freedom-to-tinker.com/blog/felten/software-backdoors-and-the-white-house-nsa-panel-report/.
- Article 19, International Covenant on Civil and Political Rights. Office of the UN High Commissioner for Human Rights
- Keystones to foster inclusive knowledge societies: access to information and knowledge, freedom of expression, privacy and ethics on a global internet. http://www.unesco.org/ulis/cgi-bin/ulis.pl?catno=232563&set=0059EDFBB1_1_85&gp=1&lin=1&ll=1: UNESCO. 2015.CS1 maint: location (link)
- Rizk, Rawya (2015). "Two-phase hybrid cryptography algorithm for wireless sensor networks". Journal of Electrical Systems and Information Technology. 2 (3): 296–313. doi:10.1016/j.jesit.2015.11.005.
- Schneier, Bruce (2015). How We Sold Our Souls – and More – to the Internet Giants. https://www.schneier.com/essays/archives/2015/05/how_we_sold_our_soul.html.CS1 maint: location (link)
- Claudia Diaz, Omer Tene and Seda Gürses (2013). Hero or Villain: The Data Controller in Privacy Law and Technologies. 74 Ohio State Law Journal. p. 923.
- "See Bitcoin is NOT anonymous".
- "Bekman Center". 2016.
- Berkman Center (2016). Don't Panic: Making Progress on the "Going Dark" Debate.
- McCarthy (2016). For a discussion of Germany.
- "Bernard Cazeneuve, French Minister of the Interior, Speech at the Joint Press Conference with Thomas de Maizière, German Minister of the Interior, Paris". August 23, 2016.
- ENISA and Europol Joint Statement (May 20, 2016). "On lawful criminal investigation that respects 21st Century data protection".
- "See also Chicago Tribune. Encryption and the terrorists' tracks".
- Greenleaf 2015. For this count, the inclusion of rules on security was a criterion.
- UNESCO (2015). Keystones to foster inclusive Knowledge Societies.
- See here: https://necessaryandproportionate.org/principles
- Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001–1010
- See USA Department of Commerce, Encryption Export Controls: Revision of License Exception ENC and Mass Market Eligibility. June 2010. See also Ira Rubinstein and Michael Hintze. Export Controls on Encryption Software. http://encryption_policies.tripod.com/us/rubinstein_1200_software.htm
- See Ira Rubinstein and Joris van Hoboken. Privacy and Security in the Cloud, Maine Law Review 2014. Notably, the debate on encryption was already taking place before the Snowden revelations, as US law enforcement actors were arguing for the extension of wiretap obligations (CALEA) for internet services. For a discussion, see Adida et al. 2013.
- See e.g. the Encrypt all the Things Campaign.
- Koch, Alexander (1997). Grundrecht auf Verschlüsselung?. pp. 106–108.
- Gerhards, Julia (2010). (Grund-)Recht auf Verschlüsselung?. p. 123.
- Digital Agenda 2014–2017, p. 33.
- See Monika Ermert, NSA-Skandal: UN-Sonderberichterstatter für Datenschutz in der digitalen Welt angestrebt, Heise Online, March 23, 2015, http://www.heise.de/newsticker/meldung/NSA-Skandal-UNSonderberichterstatter-fuer-Datenschutz-in-der-digitalen-Welt-angestrebt-2582480.html.
- Available at http://pensando.mj.gov.br/dadospessoais/
- For more information, see http://www.iti.gov.br/icp-brasil.
- Mlot, Stephanie (May 3, 2016). "Brazil Bans WhatsApp (Again) Over Encryption".
- African (Banjul) Charter on Human and People's Rights, Adopted June 27, 1981, OAU Doc. CAB/LEG/67/3 rev. 5, 21 I.L.M. 58 (1982), entered into force October 21, 1986.
- African Union Convention on Cyber Security and Personal Data Protection, adopted on June 27, 2014. The Convention has currently been signed by 8 of the Member States.
- See African Declaration on Internet Rights and Freedoms, available at http://africaninternetrights.org/
- Loi n° 1–2001 du 15 janvier 2001 portant promulgation du code des télécommunications (Tunesia), available at http://www.wipo.int/wipolex/en/text.jsp?file_id=204160
- Decision No 17 du June 11, 2012, http://www.arpt.dz/fr/doc/reg/dec/2012/DEC_N17_11_06_2012.pdf
- Egypt Telecommunications Regulation Law (Translation), available at http://hrlibrary.umn.edu/research/Egypt/Egypt%20Telecommunication%20Regulation%20Law.pdf
- Bulletin officiel n° 6332 du 15 rabii II 1436 (February 5, 2015), available at http://adala.justice.gov.ma/production/html/Fr/liens/..%5C188896.htm
- See MyGov, Computer and cybercrime law to be in place before end year, June 29, 2016, http://www.mygov.go.ke/?p=10848
- "Uganda Election: Facebook and Whatsapp blocked". BBC News. February 18, 2016.
- Ajibola Adigun, Affront on Freedom in Ghana with the Introduction of Spy Bill, Student For Liberty, March 29, 2016, https://studentsforliberty.org/africa/2016/03/29/affront-on-freedom-in-ghana-with-theintroduction-of-spy-bill/
- Nigerian Communications Commission, Draft Lawful Interception of Communications Regulations, available at http://bit.ly/1du7UKO
- See Freedom House, Freedom on the Net 2015: South Africa, https://freedomhouse.org/report/freedomnet/2015/south-africa
- See Electronic Communications and Transactions Act, 2002 No. 25 of 2002, http://www.internet.org.za/ect_act.html
- Mendel, Toby (n.d.). The UN Special Rapporteur on freedom of opinion and expression: progressive development of international standards relating to freedom of expression. in: McGonagle and Donders. The United Nations and Freedom of Expression and Information. pp. 238, chapter 8.
- Manfred Nowak, CCPR Commentary, 2nd edition, p. 477. Cf. Michael O'Flaherty. International Covenant on Civil and Political Rights: interpreting freedom of expression and information standards for the present and the future. in: McGonagle and Donders. The United Nations and Freedom of Expression and Information. chapter 2, p. 69 et seq.
- Art. 17 ICCPR; Art. 21 ACHR (Arab); Art. 11 ACHR (America); Art. 21 AHRD.
- Fried, Charles (1968). "Privacy". Yale Law Journal. 77 (3): 475, 483. doi:10.2307/794941. JSTOR 794941.
- CCPR/G/GC/34, § 11.
- See for example New York Times Co. v. Sullivan, 376 U.S. 254 (1964) and Dombrowskiv. Pfister, 380 U.S. 479 (1965).
- See BVerfG NJW 1995, 3303 (3304) and BVerfG NJW 2006, 207 (209).
- Cumhuryiet Vafki and others v. Turkey, ECHR August 10, 2013 – 28255/07; Ricci v. Italy, ECHR August 10, 2013 – 30210/06.
- Tarlach McGonagle. The United Nations and Freedom of Expression and Information. chapter 1, p. 3.
- Report of the Special Rapporteur on the right to privacy, Joseph A. Cannataci, A/HRC/31/64.
- Alexy, Robert; Rivers, Julian (n.d.). A Theory of Constitutional Rights. p. 315.
- MacKinnon et al. UNESCO study; Cf. Karol Jakubowicz. Early days: the UN, ICTs and freedom of expression. in: The United Nations and Freedom of Expression and Information. chapter 10, pp. 324 et seq.
- Cf. the UN Guiding Principles on Business and Human Rights. 2011. http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf and the UNESCO publication Fostering Freedoms Online. The Role of Internet Intermediaries. 2014. http://unesdoc.unesco.org/images/0023/002311/231162e.pdf.