Encryption and Anonymity follow-up report

In 2017 the United Nations Human Rights Council encouraged companies to work to enable the use of technical solutions to secure and protect the confidentiality of digital communications, and called upon States to avoid restrictions to their use, unless they comply with international human rights law. However, State practice has not improved since 2015. In fact, it may have worsened, becoming less protective of digital security. 

Many States have issued bans to the use and dissemination of encryption technologies, e.g. Turkey has accused citizens of complicity in the 2016 coup attempt because of their use of an encrypted messaging app. Laws require registration and government approval of encryption tools, e.g. in Russia the “Yarovaya Law” requires certification for the use of encryption technology. States have intensified their efforts to weaken encryption used in widely available products and services. The United Kingdom has passed the Investigatory Powers Act 2016, which was aimed to place government practices on legal footing, but may provide authority for the Government to weaken encryption. The statute was viewed by other States as a model. In other countries there are judicial battles to protect encryption in commercially available products and services, e.g. a Russian court blocked access to Telegram after the company refused to provide encryption keys to the government.

Government hacking activities are growing around the world, often citing the prevalence of encrypted communications as a justification. Authorising norms, when existing, are often vaguely and ambiguously written, giving authorities open-ended powers with minimal oversight, e.g. civil society organisations in the UK have challenged the GCHQ intelligence agency before the UK Supreme Court and the ECHR, because it has reportedly obtained warrants for large-scale hacking; in Italy, a bill regulating the government’s use of hacking tools was criticised by human rights groups.

Some government authorities require providers of communications services to store personal and sensitive data locally, e.g. Russia requires local storage of encryption keys. Mandatory key escrows require communications service providers to store encryption keys with a designated government authority or a “trusted third party”. Some States have imposed restrictions on the right to anonymity, e.g. Germany tightened security laws relating to the registration of users at the time of purchasing a SIM card; in Russia, providers of communications services have been forced to disclose users’ identity.

There are a few exceptions to this general trend. The Netherlands avoided enacting legislation that would guarantee government access to encrypted data, and has instead publicly recognised the benefits of encryption. The European Union approved the General Data Protection Regulation (GDPR) requiring data controllers to take appropriate measures to protect privacy and other fundamental rights.

The report makes several recommendations to States, including: States should adopt laws and policies that provide comprehensive protection and support for the use of encryption tools; restrictions should be permitted only in exceptional circumstances; decryption requests should be reviewed by an independent and impartial judicial body.

Companies are not parties to the Covenant, but they play a significant role, and the report makes some recommendations to them too: messaging apps and device manufacturers (of all connected devices) should provide encryption as a default setting or at least as a visible, easy option; digital access providers, such as Internet service providers (ISPs), should respect the privacy and security of end users.

Tags: Encryption Privacy Freedom of expression Digital rights Digital safety Human rights European policies and legislation Russia Turkey United Kingdom Italy Netherlands Germany