Human rightsandencryption are often viewed as interlinked. Encryption can be a technology that helps implement basic human rights. In the digital age, the freedom of speech has become more controversial; however, from a human rights perspective, there is a growing awareness that encryption is essential for a free, open, and trustworthy Internet.[1]
Background
Human rights
Human rights are moral principles or norms for human behaviour that are regularly protected as legal rights in national and international law.[2] They are commonly understood as inalienable,[3] fundamental rights "to which a person is inherently entitled simply because they are a human being".[4] Those rights are "inherent in all human beings"[5] regardless of their nationality, location, language, religion, ethnic origin, or any other status.[3] They are applicable everywhere and at every time and are universal[2] and egalitarian.[3]
Cryptography
Cryptography is a long-standing subfield of both mathematics and computer science. It can generally be defined as "the protection of information and computation using mathematical techniques."[6]Encryption and cryptography are closely interlinked, although "cryptography" has a broader meaning. For example, a digital signature is "cryptography", but not technically "encryption".[7][1]
Overview
Under international human rights law, freedom of expression is recognized as a human right under Article 19 of the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR). In Article 19 of the UDHR states that "everyone shall have the right to hold opinions without interference" and "everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice".[8]
Since the 1970s, the availability of digital computing and the invention of public-key cryptography have made encryption more widely available. (Previously, encryption techniques were the domain of nation-state actors.) Cryptographic techniques are also used to protect the anonymity of communicating actors and privacy more generally. The availability and use of encryption continue to lead to complex, important, and highly contentious legal policy debates. Some government agencies have made statements or proposals to lessen such usage and deployment due to hurdles it presents for government access. The rise of commercial end-to-end encryption services have pushed towards more debates around the use of encryption and the legal status of cryptography in general.[1]
Encryption, as defined above, is a set of cryptographic techniques to protect information. The normative value of encryption, however, is not fixed but varies with the type and purpose of the cryptographic methods used. Traditionally, encryption (cipher) techniques were used to ensure the confidentiality of communications and prevent access to information and communications by others and intended recipients. Cryptography can also ensure the authenticity of communicating parties and the integrity of communications contents, providing a key ingredient for enabling trust in the digital environment.[1]
There is a growing awareness within human rights organizations that encryption plays an important role in realizing a free, open, and trustworthy Internet. UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye observed, during the Human Rights Council in June 2015, that encryption and anonymity deserve a protected status under the rights to privacy and freedom of expression:
"Encryption and anonymity, today's leading vehicles for online security, provide individuals with a means to protect their privacy, empowering them to browse, read, develop and share opinions and information without interference and enabling journalists, civil society organizations, members of ethnic or religious groups, those persecuted because of their sexual orientation or gender identity, activists, scholars, artists and others to exercise the rights to freedom of opinion and expression."[9]
Encryption in media and communication
In the context of media and communication, two types of encryption in media and communication can be distinguished:
It could be used as a result of the choice of a service provider or deployed by Internet users. Client-side encryption tools and technologies are relevant for marginalized communities, journalists and other online media actors practicing journalism as a way of protecting their rights.
It could prevent unauthorized third party access, but the service provider implementing it would still have access to the relevant user data. End-to-end encryption is an encryption technique that refers to encryption that also prevents service providers themselves from having access to the user's communications. The implementation of these forms of encryption has sparked the most debate since the start of the 21st century.[1]
Service providers deployed techniques to prevent unauthorized third-party access.
Among the most widely deployed cryptographic techniques is the securitization of communications channel between internet users and specific service providers from man-in-the-middle attacks, access by unauthorized third parties. Given the breadth of nuances involved, these cryptographic techniques must be run jointly by both the service user and the service provider in order to work properly. They require service providers, including online news publisher(s) or social network(s), to actively implement them into service design. Users cannot deploy these techniques unilaterally; their deployment is contingent on active participation by the service provider.[citation needed] The TLS protocol, which becomes visible to the normal internet user through the HTTPS header, is widely used for securing online commerce, e-government services and health applications as well as devices that make up networked infrastructures, e.g., routers, cameras. However, although the standard has been around since 1990, the wider spread and evolution of the technology has been slow. As with other cryptographic methods and protocols, the practical challenges related to proper, secure and (wider) deployment are significant and have to be considered. Many service providers still do not implement TLS or do not implement it well.[citation needed]
In the context of wireless communications, the use of cryptographic techniques that protect communications from third parties are also important. Different standards have been developed to protect wireless communications: 2G, 3G and 4G standards for communication between mobile phones, base stations and base stations controllers; standards to protect communications between mobile devices and wireless routers ('WLAN'); and standards for local computer networks.[10] One common weakness in these designs is that the transmission points of the wireless communication can access all communications e.g., the telecommunications provider. This vulnerability is exacerbated when wireless protocols only authenticate user devices, but not the wireless access point.[1]
Whether the data is stored on a device, or on a local server as in the cloud, there is also a distinction between 'at rest'. Given the vulnerability of cellphones to theft for instance, particular attention may be given to limiting service provided access. This does not exclude the situation that the service provider discloses this information to third parties like other commercial entities or governments. The user needs to trust the service provider to act in their interests. The possibility that a service provider is legally compelled to hand over user information or to interfere with particular communications with particular users, remains.[1]
Privacy-enhancing Technologies
There are services that specifically market themselves with claims not to have access to the content of their users' communication. Service Providers can also take measures that restrict their ability to access information and communication, further increasing the protection of users against access to their information and communications. The integrity of these Privacy Enhancing Technologies (PETs), depends on delicate design decisions as well as the willingness of the service provider to be transparent and accountable.[2] For many of these services, the service provider may offer some additional features (besides the ability to communicate), for example, contact list management—meaning that they can observe who is communicating with whom—but take technical measures so that they cannot read the contents of the messages. This has potentially negative implications for users; for instance, since the service provider has to take action to connect users who want to communicate using the service, it will also have the power to prevent users from communicating in the first place.[1]
Following the discovery of vulnerabilities, there is a growing awareness that there needs to be more investment in the auditing of widely used code coming out of the free and open software community. The pervasiveness of business models that depend on the collection and processing of user data can be an obstacle for adopting cryptographic mechanisms for protecting information at rest. As Bruce Schneier stated:[11]
"Surveillance is the business model of the Internet. This has evolved into a shockingly extensive, robust, and profitable surveillance architecture. You are being tracked pretty much everywhere you go on the Internet, by many companies and data brokers: ten different companies on one site, a dozen on another."[11] Cryptographic methods play a key role in online identity management.[11]
Digital credential systems can be used to allow anonymous yet authenticated and accountable transactions between users and service providers and to build privacy preserving identity management systems.[12][1]
End-user and community-driven encryption and collaborative services
The Internet allows end-users to develop applications and uses of the network without having to coordinate with the relevant internet service providers. Many of the available encryption tools are not developed or offered by traditional service providers or organizations but by experts in the free and open-source software (FOSS) and Internet engineering communities. A major focus of these initiatives is to produce Privacy Enhancing Technologies (PETs) that can be unilaterally or collaboratively deployed by interested users who are ready, willing, and able to look after their own privacy interests when interacting with service providers. These PETs include standalone encryption applications as well as browser add-ons that help maintain the confidentiality of web-based communications or permit anonymous access to online services and search engines. Technologies such as keystroke loggers can intercept content as it is entered before encryption is applied, thereby falling short of offering protection. Hacking into information systems and devices to access data at or after the moment of decryption may have the same effect.[1]
Multi-party computation (MPC) techniques are an example of collaborative solutions that allow parties, e.g., NGOs with sensitive data, to do data analytics without revealing their datasets to each other. All of these designs leverage encryption to provide privacy and security assurances in the absence of a trustworthy centralized authority.[1]
There are many developments in the implementations of cryptocurrencies using blockchain protocols. These systems can have many benefits and these protocols can also be useful for novel forms of contracts and electronic attestation, useful aids when legal infrastructure are not readily available. As to the protection of privacy related to payments, it is a common misconception that the cryptographic techniques that are used in Bitcoin ensure anonymous payments. The only protection offered by Bitcoin is pseudonymity.[13]
The cryptographic protection of metadata
The availability of metadata (the non personally identifiable information generated by a user's communications/behaviors) can pose a particular threat to users. This is information that is not protected by law, & that can be observed by service providers through the provisioning of services; including but not limited to: the time, frequency, duration, involved parties & so on. Metadata can also be used to track people geographically and can interfere with their ability to communicate anonymously.[14] As noted by the Berkman Center report, metadata is generally not encrypted in ways that make it inaccessible for governments, and accordingly "provides an enormous amount of surveillance data that was unavailable before [internet communication technologies] became widespread."[15] To minimize exposure of meaningful metadata, encryption tools may need to be used in combination with technologies that provide communication anonymity.[citation needed]
The Onion Router
The Onion Router, most commonly known as Tor, offers the ability to access websites and online services anonymously. Tor requires a community of volunteers to run intermediary proxies which channel a user's communication with a website so that third parties cannot observe who the user is communicating with. Through the use of encryption, each proxy is only aware of part of the communication path meaning that none of the proxies can by itself infer both the user and the website he/she is visiting. Besides protecting anonymity, Tor is also useful when the user's ISP blocks access to content.[1] This is similar as the protection that can be offered by a VPN (Virtual Private Network). Service providers, such as websites, can block connections that come from the Tor network. Because certain malicious traffic may reach service providers as Tor traffic and because Tor traffic may also interfere with the business models, service providers may have an incentive to do so. This interference can prevent users from using the most effective means to protect their anonymity online. The Tor browser allows users to obfuscate the origin and end-points of their communications when they communicate on the internet.[1]
Obfuscation
Obfuscation, the automated generation of "fake" signals that are indistinguishable from users' actual online activities, providing users with a noisy "cover" under which their real information and communication behaviour remains unobservable. Obfuscation has received more attention as a method to protect users online recently. TrackMeNot is an obfuscation tool for search engine users: the plugin sends fake search queries to the search engine, affecting the ability of the search engine provider to build an accurate profile of the user. Although TrackMeNot and other search obfuscation tools have been found to be vulnerable to certain attacks that allow search engines to distinguish between user-generated and computer-generated queries, further advances in obfuscation are likely to play a positive role in protecting users when disclosure of information is inevitable, as in the case of search or location-based services.[1]
Cryptography, law and human rights
Restrictions on cryptographic techniques
Recent incidents of terrorism have led to further calls for restrictions on encryption.[16] Even though, in the interest of public safety, there are many proposals to interfere with the free deployment of strong encryption, these proposals do not hold up against close scientific scrutiny. These proposals side-step a more fundamental point, related to what is at stake for users. More advanced security measures seem necessary for governments, considering the existing threat landscape for users of digital communications and computing.[16]
While many governments consider that encryption techniques could present a hurdle in the investigation of crime and the protection of national security, certain countries, such as Germany or the Netherlands have taken a strong position against restrictions on encryption on the Internet.[17] In 2016, the Ministers of the Interior of France and Germany jointly stated the need to work on solutions for the challenges law enforcement can face as a result of end-to-end encryption, in particular when offered from a foreign jurisdiction.[18] In a joint statement, the European Agency for Network and Information Security (ENISA) and Europol have also taken a stance against the introduction of back-doors in encryption products.[19] In addition, restrictions would have serious detrimental effects on cyber security, trade and e-commerce.[20][1]
Encryption and the law: the broader landscape
Privacy and data protection legislation is closely related to the protection of human rights. There are now more than 100 countries with data protection laws.[21] One of the key principles for the fair and lawful processing of personal information regulated by data protection laws is the principle of security. This principle implies that proper security measures are taken to ensure the protection of personal data against unlawful access by others than intended recipients.[1] The European Union General Data Protection Regulation, which was adopted in 2016 and will enter in to force in 2018, contains an advanced set of rules with respect to the security of personal data.[1]
Encryption can be a safeguard against personal data breaches for the UN, as it can facilitate the implementation of privacy and data protection by design.[1] Cryptography has also been an essential ingredient for establishing the conditions for e-Commerce over the Internet. The OECD Principles were adopted to ensure that national cryptography policy would not interfere with trade and to ensure the conditions for international developments in e-Commerce.[1]
International cryptography policy and human rights
The policy debate about encryption has a significant international dimension because of the international nature of the communications networks and the Internet as well as trade, globalization and the national security dimensions. The OECD adopted a policy for the recommendation of concerning guidelines for cryptography on March 27, 1997. There are three components to this policy intervention of the OECD, which is primarily aimed at its Member Countries: a recommendation of the OECD Council, Guidelines for Cryptography Policy (as an Annex to the Recommendation) and a Report on Background and Issues of Cryptography Policy to explain the context for the guidelines and the basic issues involved in cryptography law and policy debate. The 5th principle on the protection of privacy and personal data: explicitly discusses the connection to human rights as: "The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods."[1]
The United Nations Educational, Scientific and Cultural Organization (UNESCO) identified encryption as a relevant element for policy on privacy and freedom of expression. The Keystones Report (2015) articulates that "to the extent that our data can be considered representative of ourselves, encryption has a role to play in protecting who we are, and in preventing abuse of user content. It also allows for greater protection of privacy and anonymity in transit by ensuring that the contents (and sometimes also the metadata) of communications are only seen by the intended recipient."[22] The report recognizes "the role that anonymity and encryption can play as enablers of privacy protection and freedom of expression" and proposes that UNESCO facilitate dialogue on these issues.[1]
The necessary and proportionate principles developed and adopted by civil society actors stipulates the protection of the integrity of communications systems as one of its 13 principles.[23] The principles themselves do not provide for explicit guidance on specific cryptographic policy issues such as back-doors or restrictions on the deployment of encryption. The guidance that is offered by the OECD principles and the recent positions of the UN Rapporteur on Encryption state the importance of encryption for the protection of human rights. While it does not give a definitive answer to the question of whether a mandate for encryption back-doors is to be considered incompatible with international law, it does point in that direction. Generally, the available guidance at the international level clarifies that when limitations are imposed on encryption, relevant human rights guarantees have to be strictly observed.[1]
National level developments in selected countries
United States
There has been a broad, active and contentious policy debate on encryption in the US since the 1990s beginning with the "Crypto Wars". This involved the adoption of the Communications Assistance for Law Enforcement Act (CALEA), containing requirements for telecommunications providers and equipment manufacturers to ensure the possibility of effective wiretapping.[24] It also involved a debate over existing export controls on strong encryption products (considering their classification as munition) and a criminal investigation into cryptographic email software developer and activist Phil Zimmermann. The case was dropped and the general debate resolved after the liberalization of export controls on most commercial products with strong encryption features and the transfer of these items from the U.S.A. Munitions List (USML), administered by the Department of State, to the Commerce Control List (CCL), administered by the Department of Commerce.[25] The USA Department of Commerce maintains some controls over items on the CCL, including registration, technical reviews and reporting obligations, and continues to impose licensing and other requirements for sensitive encryption items and sales of such items to foreign governments.[1]
The debate ignited after the Edward Snowden revelations and the well-documented increase in deployed encryption measures by Internet services, device makers and users, as well as a concerted call from the technical community and civil society to increase encryption use and security to address mass surveillance practices.[26] The increased adoption of encryption by the industry has been received critically by certain government actors, the FBI in particular.[1] This led to the widely reported FBI–Apple encryption dispute over the possibility to gain access to information on the iPhone in assistance to law enforcement. In 2016, several bills were introduced in the US Congress that would place new limits encryption under USA law. The USA's legal system promotes and requires security measures to be implemented in the relevant contexts, including cryptographic methods of various kinds, to ensure security in commerce and trade. Relevant laws are the Federal Information Security Modernization Act (FISMA) of 2014, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA) and also the Federal Trade Commission Act. These acts contain security requirements and thereby indirectly require or stimulate the use of encryption in certain circumstances. Finally, many state breach notification laws treat encrypted data as a safe harbor by exempting firms that have encrypted data from notice obligations.[1]
Constitutional considerations and human rights play a role of significance in the USA debate about the legal treatment of encryption methods. Restrictions on distribution of cryptographic protocols, and the publication of cryptographic methods are considered an interference with the First Amendment, the USA constitutional safeguard protecting freedom of expression.[1] The USA has particularly active and strongly developed civil society actors involved in cryptographic policy and practice.
The United States of America is a primary site for cryptology research and engineering, development and implementation of cryptographic service innovations. There is an active community of Non-Governmental Organizations engaged in the national and international debate on encryption policy.[27] The predominant interference's with strong encryption that take place or are being considered take place in the field of national security, law enforcement and Foreign Affairs. In this area and in answering the contentious question of whether and how lawful access to specific communications could be ensured, the US Government has internationally explained its policy as one aiming to ensure that 'responsibly deployed encryption' helps to "secure many aspects of our daily lives, including our private communications and commerce", but also "to ensure that malicious actors can be held to account without weakening our commitment to strong encryption".[1]
Germany
As part of the global debate on encryption in the late 1990s, a debate also took place in Germany about the need and legitimacy of imposing a general ban on the encryption of communications because of the impact on criminal investigations.[28] There were profound doubts concerning the constitutional legitimacy as well as concerns about negative factual consequences of such a ban.[28] In qualitative terms, a number of fundamental rights are considered to be affected by restrictions on encryption: the secrecy of telecommunications, expressions of the general right of personality and, indirectly, all communicative freedoms that are able to be exercised over the Internet.[29] The Federal Government set key points in 1999 for the German cryptographic policy which should especially provide confidence in the security of encryption instead of restricting it.[1] Besides the statements of the German Minister of the Interior towards possible future restrictions, Germany aligns with the position of the UN Special Rapporteur David Kaye and adopts policies of non-restriction or comprehensive protection and only adopts restrictions on a case-specific basis. In November 2015 governmental representatives as well as representatives of the private sector signed a "Charter to strengthen the trusted communication ("Charta zur Stärkung der vertrauenswürdigen Kommunikation") together, in which they stated: "We want to be Encryption Site No. 1 in the world".[30] The German Government has also used its foreign policy to promote international privacy standards.[1] In particular, Germany, in a joint effort with Brazil, committed itself in the Human Rights Council for the appointment of an UN Special Rapporteur on Privacy.[25] There are multiple examples of how there have been efforts by the government to implement encryption policy. They range from informal actions to laws and regulations: The IT Security Act in 2015, the 'De-Mail' law. There are also several sector-specific rules for encryption and information security in Germany, like the Telecommunications Act (TKG). The German Constitutional Court has also provided valuable input for the international legal handling of encryption techniques with the IT basic right, with which, the constitutional court recognizes that parts of one's personality go into IT systems and therefore the applied protection has to travel with it.[1]
India
There are a number of limitations on the free deployment of encryption by electronic communications services despite the fact that Indian law and policy promotes and requires the implementation of strong encryption as a security measure, such as in banking, e-commerce and by organizations handling sensitive personal information.[1] There is notable legal uncertainty about the precise legal scope of these license requirements and to what extent they could have legal effect on (the use of or deployment of ) services by the end-users of covered services. The encryption debate ignited publicly in India in 2008 after the Government published a draft proposal with a number of envisioned limitations on the use of encryption. The policy, issued under Section 84A of the Indian Information Technology (Amendment) Act, 2008 was short-lived, but worries remain about the lack of safeguards for privacy and freedom of expression that the draft illustrated.[1] In response to the outcry, the Indian government first exempted "mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as WhatsApp, Facebook, Twitter etc." Soon thereafter, it withdrew the proposed policy, and a new policy has not been made public yet.[1]
Section 84A of the Indian Information Technology (Amendment) Act, 2008 empowers the government to formulate rules on modes of encryption for the electronic medium. Legal commentators have noted the lack of transparency about what types of encryption use and deployment are permitted and required under Indian law, especially in the field of electronic communications services.[1] Thus, the Central Indian Government has, in theory, a broad exclusive monopoly over electronic communications which includes the privilege to provide telecommunication and Internet services in India.[1]
Brazil
After the Edward Snowden revelations in 2013, Brazil was at the forefront of a global coalition promoting the right to privacy at the UN and condemning USA mass surveillance. In recent events, Brazil has demonstrated diverse aims when it comes to the use and implementation of encryption. On the one side, the country is a leader in providing a legal framework of rules for the Internet.[1] But it has also taken several measures that may be seen to restrict the dissemination of encryption technology. In 2015, in a process that was open for public comments and discussions, Brazil's legislator drafted a new privacy bill ("proteção de dados pessoais"), which was sent to Brazil's Federal Congress on May 13, 2016 and came into force as Bill 5276 of 2016.[31] It regulates and protects personal data and privacy, including online practices and includes provisions for more secure methods such as encryption on the treatment of personal data. The law also addresses security issues and a duty for companies to report any attacks and security breaches. With the Marco Civil (2014), that introduces principles like neutrality, the Brazilian Civil Rights Framework for the Internet, Brazil was one of the first countries to ever introduce a law, that aims at combining all Internet rules in one bundle. Brazil has a well-established e-government model: The Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira – ICP-Brasil [pt]).[32] Since 2010 ICP-Brasil certificates can be partly integrated in Brazilian IDs, which can then be used for several services like tax revenue service, judicial services or bank related services. In practice, the ICP-Brasil digital certificate acts as a virtual identity that enables secure and unique identification of the author of a message or transaction made in an electronic medium such as the web. Brazilian courts have taken a stance against encryption in private messaging services by repeatedly ordering the blocking of the messaging service WhatsApp.[33] Since it switched to a full end-to-end encryption, the service has been periodically blocked as a result of a court order in an attempt to make the company comply with demands for information.[1]
African countries
The African (Banjul) Charter on Human and People's Rights, was adopted in the context of the African Union in 1981.[34] A Protocol to the Charter, establishing the African Court on Human and Peoples' Rights was adopted in 1998 and came into effect in 2005. In the area of information policy, the African Union has adopted the African Union Convention on Cyber Security and Personal Data Protection.[35] The provisions on personal data protection in this Convention generally follow the European model for the protection of data privacy and contains a number of provisions on the security of personal data processing.[1] A civil society initiative has adopted a specific African Declaration on Internet Rights and Freedoms "to help shape approaches to Internet policy-making and governance across the continent".[36]
Northern Africa
Different countries in the North-African region have not seen a significant rise in legal actions aiming at the suppression of encryption in the transformations that started in 2011. Although legislation often dates back to before the transformations, the enforcement has become stricter since then. No difference in the position towards cryptography can be seen between the countries that had successful revolutions and went through regime changes and those that didn't.[1]
Tunisia has several laws that limit online anonymity.[1] Articles 9 and 87 of the 2001 Telecommunication Code ban the use of encryption and provide a sanction of up to five years in prison for the unauthorized sale and use of such techniques.[37]
In Algeria, users have legally needed authorization for the use of cryptographic technology from the relevant telecommunications authority ARPT (Autorité de Régulation de la Poste et des Télécommunications) since 2012.[38]
In Egypt, Article 64 of the 2003 Telecommunication Regulation Law states that the use of encryption devices is prohibited without the written consent of the NTRA, the military, and national security authorities.[39]
In Morocco, the import and export of cryptographic technology, be it soft- or hardware, requires a license from the government. The relevant law No. 53-05 (Loi n° 53-05 relative à l'échange électronique de données juridiques) went into effect in December 2007.[40]
East Africa
There are no specific provisions in effect in countries in the East-African region restricting the use of encryption technology. As in other African countries, the main reason given for State surveillance is the prevention of terroristic attacks. Kenya with its proximity to Somalia, has cited this threat for adopting restrictive actions. The country has recently fast-tracked a Computer and Cybercrime Law, to be adopted in the end of 2016.[41] In Uganda a number of laws and ICT policies have been passed over the past three years, none of them however deal with encryption. In 2016, following the Presidential Elections, the Ugandan government shut down social networks such as Twitter, Facebook and WhatsApp.[42]
West Africa
West-African countries neither limit the import or export of encryption technology, nor its use, most national and foreign companies still rely on the use of VPNs for their communication. Ghana recently introduced a draft law aiming at intercepting electronic and postal communications of citizens, to aid crime prevention. Section 4(3) of the proposed bill gives the government permission to intercept anyone's communication upon only receiving oral order from a public officer.[43] Recently the Nigerian Communications Commission has drafted a bill regarding Lawful Interception of Communications Regulations.[44] If passed, the bill allows the interception of all communication without judicial oversight or court order and forces mobile phone companies to store voice and data communication for three years. Furthermore, the draft plans to give the National Security Agency a right to ask for a key to decrypt all encrypted communication.[1]
Southern Africa
Users in South Africa are not prohibited from using encryption.[45] The provision of such technology, however, is strictly regulated by the Electronic Communications and Transactions Act, 2002.[46]
Human rights legal framework related to cryptography
International instruments
While a very broad range of human rights is touched upon by digital technologies, the human rights to freedom of expression (Art. 19 International Covenant on Civil and Political Rights [ICCPR]) and the right to private life (Art. 17 ICCPR) are of particular relevance to the protection of cryptographic methods. Unlike the Universal Declaration of Human Rights (UDHR) which is international 'soft law', the ICCPR is a legally bindinginternational treaty.[47]
Restrictions on the right to freedom of expression are only permitted under the conditions of Article 19, paragraph 3. Restrictions shall be provided for by law and they shall be necessary (a) for the respect of the rights or reputations of others or (b) for the protection of national security or of public order or of public health or morals.[1] A further possibility for restriction is set out in Art. 20 ICCPR,[48] In the context of limitations on cryptography, restrictions will most often be based on Article 19 (3)(b), i.e., risks for national security and public order. This raises the complex issue of the relation, and distinction, between security of the individual, e.g., from interference with personal electronic communications, and national security. The right to privacy[49] protects against 'arbitrary or unlawful interference' with one's privacy, one's family, one's home and one's correspondence. Additionally, Article 17(1) of the ICCPR protects against 'unlawful attacks' against one's honour and reputation.[1] The scope of Article 17 is broad. Privacy can be understood as the right to control information about oneself.[50] The possibility to live one's life as one sees fit, within the boundaries set by the law, effectively depends on the information which others have about us and use to inform their behaviour towards us. That is part of the core justification for protecting privacy as a human right.[1]
In addition to the duty to not infringe these rights, States have a positive obligation to effectively ensure the enjoyment of freedom of expression and privacy of every individual under their jurisdiction.[51] These rights may conflict with other rights and interests, such as dignity, equality or life and security of an individual or legitimate public interests. In these cases, the integrity of each right or value must be maintained to the maximum extent, and any limitations required for balancing have to be in law, necessary and proportionate (especially least restrictive) in view of a legitimate aim (such as the rights of others, public morals and national security).[1]
Guaranteeing "uninhibited communications"
Encryption supports this mode of communication by allowing people to protect the integrity, availability and confidentiality of their communications.[1] The requirement of uninhibited communications is an important precondition for freedom of communication, which is acknowledged by constitutional courts e.g. US Supreme Court[52] and the Federal Constitutional Court of Germany[53] as well as the European Court of Human Rights.[54] More specifically, meaningful communication requires people's ability to freely choose the pieces of information and develop their ideas, the style of language and select the medium of communication according to their personal needs. Uninhibited communication is also a precondition for autonomous personal development. Human beings grow their personality by communicating with others.[55] UN's first Special Rapporteur on Privacy, Professor Joe Cannataci, stated that "privacy is not just an enabling right as opposed to being an end in itself, but also an essential right which enables the achievement of an over-arching fundamental right to the free, unhindered development of one's personality".[56] In case such communication is inhibited, the interaction is biased because a statement does not only reflect the speaker's true (innermost) personal views but can be unduly influenced by considerations that should not shape communication in the first place.[1] Therefore, the process of forming one's personality through social interaction is disrupted. In a complex society freedom of speech does not become reality when people have the right to speak. A second level of guarantees need to protect the precondition of making use of the right to express oneself. If there is the risk of surveillance the right to protect one freedom of speech by means of encryption has to be considered as one of those second level rights. Thus, restriction of the availability and effectiveness of encryption as such constitutes an interference with the freedom of expression and the right to privacy as it protects private life and correspondence. Therefore, it has to be assessed in terms of legality, necessity and purpose.[1]
Procedures and transparency
Freedom of expression and the right to privacy (including the right to private communications) materially protect a certain behaviour or a personal state.[1] It is well established in fundamental rights theory that substantive rights have to be complemented by procedural guaranties to be effective.[57] Those procedural guarantees can be rights such as the right to an effective remedy. However, it is important to acknowledge that those procedural rights must, similar to the substantive rights, be accompanied by specific procedural duties of governments without which the rights would erode. The substantial rights have to be construed in a way that they also contain the duty to make governance systems transparent, at least to the extent that allows citizens to assess who made a decision and what measures have been taken. In this aspect, transparency ensures accountability. It is the precondition to know about the dangers for fundamental rights and make use of the respective freedoms.[1]
Security intermediaries
The effectuate of human rights protection requires the involvement of service providers. These service providers often act as intermediaries facilitating expression and communication of their users of different kinds.[58] In debates about cryptographic policy, the question of lawful government access – and the conditions under which such access should take place in order to respect human rights – has a vertical and national focus. Complexities of jurisdiction in lawful government access are significant and present a still unsolved puzzle. In particular, there has been a dramatic shift from traditional lawful government access to digital communications through the targeting of telecommunications providers with strong local connections, to access through targeting over-the-top services with fewer or loose connections to the jurisdictions in which they offer services to users. In which cases such internationally operating service providers should (be able to) hand over user data and communications to local authorities. The deployment of encryption by service providers is a further complicating factor.[1]
From the perspective of service providers, it seems likely that cryptographic methods will have to be designed to account for only providing user data on the basis of valid legal process in certain situations. In recent years, companies and especially online intermediaries have found themselves increasingly in the focus of the debate on the implementation of human rights.[59]Online intermediaries[55] not only have a role of intermediaries between Content Providers and users but also one of "Security Intermediaries" in various aspects. Their practices and defaults with regards to encryption are highly relevant to the user's access to and effective usage of those technologies. Since a great amount of data is traveling through their routers and is stored in their clouds, they offer ideal points of access for the intelligence community and non-state actors. Thus, they also, perhaps involuntarily, function as an interface between the state and the users in matters of encryption policy. The role has to be reflected in the human rights debate as well, and it calls for a comprehensive integration of security of user information and communication in the emerging Internet governance model of today.[1]
Human rights and encryption: obligations and room for action
UNESCO is working on promoting the use of legal assessments based on human rights in cases of interference with the freedom to use and deploy cryptographic methods.[1] The concept of Internet Universality, developed by UNESCO, includes an emphasis on openness, accessibility to all, and multi-stakeholder participation. While these minimal requirements and good practices can be based on more abstract legal analysis, these assessments have to be made in specific contexts. Secure authenticated access to publicly available content, for instance, is a safeguard against many forms of public and private censorship and limits the risk of falsification. One of the most prevalent technical standards that enables secure authenticated access is TLS. Closely related to this is the availability of anonymous access to information. TOR is a system that allows for practically anonymous retrieval of information online. Both aspects of access to content directly benefit the freedom of thought and expression. The principle of legal certainty is vital to every juridical process that concerns cryptographic methods or practices. The principle is essential to any forms of interception and surveillance because it can prevent unreasonable fears of surveillance, such as when the underlying legal norms are drafted precisely. Legal certainty may avert chilling effects by reducing an inhibiting key factor for the exercise of human rights for UNESCO.[1] Continuous innovation in the field of cryptography and setting and spreading new technical standards is therefore essential. Cryptographic standards can expire quickly as computing power increases. UNESCO has outlined that education and continuous modernization of cryptographic techniques are important.[1]
Human rights and cryptographic techniques
Risks
Relevant services adoption of cryptographic solutions
Good practices
Technical restrictions on access to content (blocking)
Cloud storage providers
Secure authenticated access to publicly available content
Interception
Internet connectivity provider
Legal certainty
Hacking by state and non-state actors
Publisher sites
Transparency about interferences
Traffic analysis and surveillance
Messenger and communication services
Availability of end-to-end secure communications
Interference with the reliability or authenticity of content
Browsers
Availability of anonymous access
Education, including media and information literacy
Standards and innovation
Legality of limitations
The impact of human rights can only be assessed by analyzing the possible limitations that states can set for those freedoms. UNESCO states that national security can be a legitimate aim for actions that limit freedom of speech and the right to privacy, but it calls for actions that are necessary and proportional.[1] "UNESCO considers an interference with the right to encryption as a guarantee enshrined in the freedom of expression and in privacy as being especially severe if:
It affects the ability of key service providers in the media and communications landscape to protect their users' information and communication through secure cryptographic methods and protocols, thereby constituting the requirement of uninhibited communications for users of networked communication services and technologies.
The state reduces the possibility of vulnerable communities and/or structurally important actors like journalists to get access to encryption;
Mere theoretical risks and dangers drive restrictions to the relevant fundamental rights under the legal system of a state;
The mode of state action, e.g. if restrictions on fundamental rights are established through informal and voluntary arrangements, lead to unaccountable circumvention or erosion of the security of deployed cryptographic methods and technologies."[1]
^ abcJames Nickel, with assistance from Thomas Pogge, M.B.E. Smith, and Leif Wenar, December 13, 2013, Stanford Encyclopedia of Philosophy, Human Rights. Retrieved August 14, 2014
^ abcThe United Nations, Office of the High Commissioner of Human Rights, What are human rights?. Retrieved August 14, 2014
^Burns H. Weston, March 20, 2014, Encyclopædia Britannica, human rights. Retrieved August 14, 2014
^Gürses, Seda; Preneel, Bart (2016). Cryptology and Privacy, In: Van Der Sloot, Broeders and Schrijvers (eds.), Exploring the Boundaries of Big Data. Netherlands Scientific Council for Government Policy.
^Claudia Diaz, Omer Tene and Seda Gürses (2013). Hero or Villain: The Data Controller in Privacy Law and Technologies. 74 Ohio State Law Journal. p. 923.
^ENISA and Europol Joint Statement (May 20, 2016). "On lawful criminal investigation that respects 21st Century data protection". {{cite news}}: |last= has generic name (help)
^See Ira Rubinstein and Joris van Hoboken. Privacy and Security in the Cloud, Maine Law Review 2014. Notably, the debate on encryption was already taking place before the Snowden revelations, as US law enforcement actors were arguing for the extension of wiretap obligations (CALEA) for internet services. For a discussion, see Adida et al. 2013.
^African (Banjul) Charter on Human and People's Rights, Adopted June 27, 1981, OAU Doc. CAB/LEG/67/3 rev. 5, 21 I.L.M. 58 (1982), entered into force October 21, 1986.
^African Union Convention on Cyber Security and Personal Data Protection, adopted on June 27, 2014. The Convention has currently been signed by 8 of the Member States.
^Ajibola Adigun, Affront on Freedom in Ghana with the Introduction of Spy Bill, Student For Liberty, March 29, 2016, https://studentsforliberty.org/africa/2016/03/29/affront-on-freedom-in-ghana-with-theintroduction-of-spy-bill/[dead link]
^Nigerian Communications Commission, Draft Lawful Interception of Communications Regulations, available at http://bit.ly/1du7UKO
^Mendel, Toby (n.d.). The UN Special Rapporteur on freedom of opinion and expression: progressive development of international standards relating to freedom of expression. in: McGonagle and Donders. The United Nations and Freedom of Expression and Information. pp. 238, chapter 8.{{cite book}}: CS1 maint: year (link)
^Manfred Nowak, CCPR Commentary, 2nd edition, p. 477. Cf. Michael O'Flaherty. International Covenant on Civil and Political Rights: interpreting freedom of expression and information standards for the present and the future. in: McGonagle and Donders. The United Nations and Freedom of Expression and Information. chapter 2, p. 69 et seq.
^Cumhuryiet Vafki and others v. Turkey, ECHR August 10, 2013 – 28255/07; Ricci v. Italy, ECHR August 10, 2013 – 30210/06.
^ abTarlach McGonagle. The United Nations and Freedom of Expression and Information. chapter 1, p. 3.
^Report of the Special Rapporteur on the right to privacy, Joseph A. Cannataci, A/HRC/31/64.
^Alexy, Robert; Rivers, Julian (n.d.). A Theory of Constitutional Rights. p. 315.{{cite book}}: CS1 maint: year (link)
^MacKinnon et al. UNESCO study; Cf. Karol Jakubowicz. Early days: the UN, ICTs and freedom of expression. in: The United Nations and Freedom of Expression and Information. chapter 10, pp. 324 et seq.