Techdirt has been following for a while a worrying move to demonize strong encryption, amid calls from politicians and senior law enforcement officials for it to be undermined or compromised. That makes a new report affirming the central importance of encryption (doc), from the UN’s Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, particularly valuable. His report clearly inhabits a post-Snowden world, since it takes as its starting point the following:
Contemporary digital technologies offer Governments, corporations, criminals and pranksters unprecedented capacity to interfere with the rights to freedom of opinion and expression.
The report looks at ways in which encryption and anonymity can help to protect basic rights to privacy and freedom of opinion and expression, and explores to what extent governments may impose restrictions. In many ways, the most interesting aspect of his analysis concerns the right to hold opinions:
During the negotiations on the drafting of the [International Covenant on Civil and Political Rights], “the freedom to form an opinion and to develop this by way of reasoning was held to be absolute and, in contrast to freedom of expression, not allowed to be restricted by law or other power”. The ability to hold an opinion freely was seen to be a fundamental element of human dignity and democratic self-governance, a guarantee so critical that the Covenant would allow no interference, limitation or restriction.
But as Kaye points out, the ability to hold opinions is now intimately bound up with technology:
Individuals regularly hold opinions digitally, saving their views and their search and browse histories, for instance, on hard drives, in the cloud, and in e-mail archives, which private and public authorities often retain for lengthy if not indefinite periods. Civil society organizations likewise prepare and store digitally memoranda, papers and publications, all of which involve the creation and holding of opinions. In other words, holding opinions in the digital age is not an abstract concept limited to what may be in one’s mind. And yet, today, holding opinions in digital space is under attack.
Encryption and anonymity, he concludes, are powerful ways to preserve that right to hold opinions in a digital form:
The right to hold opinions without interference also includes the right to form opinions. Surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, likely deters individuals from accessing information, particularly where such surveillance leads to repressive outcomes. For all these reasons, restrictions on encryption and anonymity must be assessed to determine whether they would amount to an impermissible interference with the right to hold opinions.
In terms of “permissible interference,” the following factors are key:
Restrictions on encryption and anonymity, as enablers of the right to freedom of expression, must meet the well-known three-part test: any limitation on expression must be provided for by law; may only be imposed for legitimate grounds (as set out in article 19 (3) of the Covenant); and must conform to the strict tests of necessity and proportionality.
It’s the last of those that is increasingly under the spotlight after Snowden’s leaks revealed a global system whose underlying principle — “collect it all” — is the very antithesis of proportionality:
A high risk of damage to a critical, legitimate State interest may justify limited intrusions on the freedom of expression. Conversely, where a restriction has a broad impact on individuals who pose no threat to a legitimate government interest, the State’s burden to justify the restriction will be very high.
Kaye picks up on this theme again in his recommendations, where he notes that encryption and anonymity are not just vital for the right to freedom of opinion and expression in the digital age, but also for other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity. As a result:
States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. In addition, States should refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users. Corporate actors should likewise consider their own policies that restrict encryption and anonymity (including through the use of pseudonyms). Court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals.
One issue rather skated over there is what happens when court-ordered decryption is impossible. Kaye rightly notes that it is “a seemingly universal position among technologists that there is no special access that can be made available only to government authorities, even ones that, in principle, have the public interest in mind.” Absent such backdoors, you can build systems where even the service providers cannot access messages, which renders court orders moot. Nonetheless, Kaye’s report is important, because it offers a counter-argument to repeated assertions by the authorities that encryption is essentially something bad, used by bad people to do bad things. He also has an answer to those who claim that strong crypto will usher in a new Dark Age for law enforcement:
Governments have at their disposal a broad set of alternative tools, such as wiretapping, geo-location and tracking, data-mining, traditional physical surveillance and many others, which strengthen contemporary law enforcement and counter-terrorism.
That’s a crucial fact that is almost always overlooked. Its appearance here is another reason why this new UN report is welcome.