Encryption and Anonymity Annual Report

Strong encryption is now available to everyone, and tools as TOR, proxies, and VPNs allow strong anonymity. Encryption and anonymity provide individuals, including journalists, with means to protect their privacy. The first question of this report is: do the rights to privacy and freedom of opinion and expression protect encryption or anonymity? Since encryption or anonymity are instruments that can also be used to commit crimes, States have implemented or proposed rules to prohibit them or to allow law enforcement authorities to circumvent them. The second question is therefore: to what extent may Governments impose restrictions on encryption and anonymity?

The International Covenant on Civil and Political Rights (ICCPR) and other universal, regional, or national laws protect the rights to privacy and the freedoms of opinion and expression. Most of the regulations establish that limitations must be narrow, established by law, and applied strictly and only in exceptional circumstances. Privacy is protected and is also a gateway for other rights, including freedom of opinion and expression. The right to hold opinions allows no interference. In the digital age this is not just an abstract concept (limited to what one has in mind): this includes also digital stored opinions. Moreover, the right to hold opinions includes the right to form opinions. These are both under attack. The right to freedom of expression includes the freedom to seek, receive, and impart information and ideas, regardless of frontiers and through any media. It may be restricted, provided that any limitation must be provided for by law, may only be imposed for legitimate grounds. and must conform to the tests of necessity and proportionality.

According to the report, the trends regarding security and privacy online are deeply worrying. State authorities have rarely identified situations in which legitimate goals make restrictions necessary. After terrorist incidents there are often quick efforts to restrict encryption and anonymity, even when they had no role in the incidents itself. Many laws and policies do not meet the standards of necessity and proportionality.

Some governments seek to protect or promote encryption. National measures include non-restriction or comprehensive protection, the requirement of court orders for any specific limitation, and public education. They should be widely implemented. Two faults in regulation are common: restrictions do not necessarily meet a legitimate interest; the rights to freedom of opinion and expression enjoyed by targeted persons or the general population are disproportionately impacted.

Some states have rules that are substantially equivalent to a ban of encryption (such as the need of a license). Others have implemented back-doors: intentional weakness in encryption that could make it susceptible to attack. Key escrow systems, permitting individuals to access to encryption but requiring them to store their private keys with a third party (e.g. the government), create substantial vulnerabilities. In some States there are legal presumptions that identify the use of encryption technologies as illicit behaviour.

When an authority wants access to encrypted communication, it can order two things: the decryption of specific communications, or the disclosure of the key. This second solution exists by law in a number of European countries, and is often preferred because of a lack of confidence in compliance with the first kind of order, but it could expose more private data than necessary.

Anonymity is not addressed in the Universal Declaration of Human Rights (UDHR) and in the ICCPR. Few states generally protect anonymous expression, but some courts have ruled in favour of it (e.g. the European Court of Human Rights (ECHR) has recognised anonymity as important for the freedom of expression, but permits limitations). Many states protect the anonymity of journalists’ sources, but breaches are common. Many states ban anonymity, and others require real-name registration for online activity (e.g. in Russia, bloggers with more than 3,000 daily readers must register with the media regulator and identify themselves publicly). Many governments require SIM card registration. States such as China and Russia fight anonymity tools such as Tor, proxies, and VPNs. Ban and interception of anonymous communication in times of protest are common, but interfere also with the right to peaceful protest.

Some courts are establishing responsibilities of Internet service providers and media platforms to regulate online comments by anonymous users (e.g. in Delfi v. Estonia the ECHR upheld a law imposing liability on media platforms for anonymous defamatory statements posted on their websites). This is likely to undermine anonymity. Broad mandatory data retention policies also create problems.

Tags: Privacy Digital safety Digital rights Encryption Freedom of expression United Kingdom Russia Estonia European Court of Human Rights