Human rights and encryption

Since the 1970s, the availability of digital computing and the invention of so-called public key cryptography has made encryption more widely available in our societies. Before that, strong versions of encryption, i.e. encryption that is very hard to break, were the domain of nation state actors. However, over the last decades, encryption and the continuing innovations in the field have proven uniquely suitable to be used in the digital environments.Cryptographic techniques have been widely deployed by a variety of actors to ensure personal, commercial and public sector protection of information and communication.Cryptographic techniques are also used to protect anonymity of communicating actors and thereby privacy more generally.The availability and use of encryption continues to lead to complex, important and highly contentious legal policy debates.Encryption plays a key role in policy frameworks promoting network security and integrity. Still, there are government statements and proposals on the need to curtail such usage and deployment in view of the potential hurdles it could present for access by government agencies. The rise of commercial services offering end-to-end encryption and the calls for restrictions and solutions in view of law enforcement access are re-fueling the current round of debates around the use of encryption and the legal status of the deployment of cryptography more generally.

Encryption, as defined above, refers to a subset of cryptographic techniques for the protection of information and computation. The normative value of encryption, however, is not fixed but varies with the type of cryptographic method that is used or deployed and for which purposes. Traditionally, encryption (cypher) techniques were used to ensure the confidentiality of communications and prevent access to information and communications by others than intended recipients.Cryptography can also ensure the authenticity of communicating parties and the integrity of communications contents, providing a key ingredient for enabling trust in the digital environment.

From a human rights perspective, there is a growing awareness that encryption is an important piece of the puzzle for realizing a free, open and trustworthy Internet.UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye observed, during the Human Rights Council in June 2015, that encryption and anonymity deserve a protected status under the rights to privacy and freedom of expression:

"Encryption and anonymity, today’s leading vehicles for online security, provide individuals with a means to protect their privacy, empowering them to browse, read, develop and share opinions and information without interference and enabling journalists, civil society organizations, members of ethnic or religious groups, those persecuted because of their sexual orientation or gender identity, activists, scholars, artists and others to exercise the rights to freedom of opinion and expression."^[1]

A distinction must be done on the basis of who is responsible for the deployment of encryption: is encryption used as a result of the choice of a service provider, or is it deployed by (communities of ) internet users? In discussing the deployment of user or client-side encryption tools and technologies, it is important to keep in mind those communities of users that have special security needs that are relevant from a human rights perspective, such as human rights defenders, marginalized communities, journalists and other online media actors practicing journalism. A second distinction is a distinction between end-to-end encryption and other methods of encryption. Considering the central issue of the possibility to legally compel service providers to provide access to user information, this is an important distinction when looking at the human rights implications of encryption in particular. Many forms of encryption are deployed by service providers to secure communications in a way that prevents unauthorized third party access, but the service provider implementing it still has access to the relevant user data. With end-to-end encryption, we refer to encryption that also prevents service providers themselves from having access to the user’s communications. The implementation of these forms of encryption have recently sparked the most debate.

Amongst the most widely deployed cryptographic techniques is the technique to secure the communications channel between internet users and specific service providers from unauthorized third party access. These cryptographic techniques must be run jointly by a user and the service provider to work. This means that they require service providers, such as an online news publisher or a social network, to actively integrate them into service design and implementation. Users cannot deploy these techniques unilaterally; their deployment is contingent on active participation by the service provider.The TLS protocol, which becomes visible to the normal internet user through the HTTPS header, is widely used for securing online commerce, e-government services and health applications as well as devices that make up networked infrastructures, e.g., routers, cameras. However, although the standard has been around for almost 20 years, the wider spread and evolution of the technology has been slow, picking up most significantly in recent years. As with other cryptographic methods and protocols, the practical challenges related to proper, secure and (wider) deployment are significant and have to be considered. Many service providers still do not implement TLS or do not implement it well.

In the context of wireless communications, the use of cryptographic techniques that protect communications from third parties are also important. Different standards have been developed to protect wireless communications: 2G, 3G and 4G standards for communication between mobile phones, base stations and base stations controllers; standards to protect communications between mobile devices and wireless routers (‘WLAN’); and standards for local computer networks.One common weakness in these designs is that the transmission points of the wireless communication can access all communications, e.g., the telecommunications provider. This vulnerability is exacerbated when wireless protocols only authenticate user devices, but not the wireless access point.

There is also a distinction between ‘at rest’ in regard to whether the data is stored on a device, or on a local server as in the cloud. Given the vulnerability of cellphones to theft for instance, particular attention may be given to limiting even service provided access (see below). In general, this does not exclude the situation that the service provider discloses this information to third parties like other commercial entities or governments. In other words, the user needs to trust the service provider to act in its interests. The possibility that a service provider is legally compelled to hand over user information or to interfere with particular communications with particular users, remains.

There are services that specifically market themselves with claims not to have access to the content of their users’ communication. Service Providers can also take measures that restrict their ability to access information and communication, thereby further increasing the protection of users against access to their information and communications. The integrity of such measures, also called Privacy Enhancing Technologies (PETs), depends on delicate design decisions as well as the willingness of the service provider to be transparent and accountable.It is worth noting at the outset that for many of these services, the service provider may offer some additional features (besides the ability to communicate), for example contact list management -- meaning that they can observe who is communicating with whom-- but take technical measures so that they cannot read the contents of the messages. This has potentially negative implications for users. For instance, since the service provider has to take action to connect users who want to communicate using the service, it will also have the power to prevent users from communicating in the first place.Following the discovery of vulnerabilities, there is a growing awareness that there needs to be more investment in the auditing of widely used code coming out of the free and open software community.The pervasiveness of business models that depend on collection and processing of user data can be an obstacle for adopting cryptographic mechanisms for protecting information at rest. In fact, as Bruce Schneier, has stated:“[s]urveillance is the business model of the Internet. This has evolved into a shockingly extensive, robust, and profitable surveillance architecture. You are being tracked pretty much everywhere you go on the Internet, by many companies and data brokers: ten different companies on one site, a dozen on another."^[2] Finally, cryptographic methods play a key role in online identity management. Digital credential systems can be used to allow anonymous yet authenticated and accountable transactions between users and service providers, and can be used to build privacy preserving identity management systems.^[3]

A powerful characteristic of the Internet is that it allows end-users to develop applications and uses of the network without having to coordinate with the relevant internet service providers. Related to this characteristic, many of the available encryption tools are not developed or offered by traditional service providers or organizations but by experts in the free and open software and the Internet engineering communities. A major focus of these initiatives is to produce Privacy Enhancing Technologies (PETs) that can be unilaterally or collaboratively deployed by interested -- and presumably technically competent-- users who are ready, willing, and able to look after their own privacy interests when interacting with service providers.These PETs include standalone encryption applications as well as browser add-ons that help maintain the confidentiality of web-based communications or permit anonymous access to online services.On the other hand, technologies such as keystroke loggers can intercept content as it is entered before encryption is applied, thereby falling short of offering protection. Hacking into information systems and devices to access data at or after the moment of decryption may have the same effect.

Multi-party computation (MPC) techniques are yet another example of collaborative solutions that allow parties, for example multiple NGOs with sensitive data, to do data analytics without revealing their datasets to each other. All of these designs have in common that they leverage encryption to provide privacy and security assurances in the absence of a trustworthy centralized authority.

Finally, it is worth mentioning the application of encryption to financial transactions. There are many recent developments in the implementations of crypto-currencies using so-called blockchain protocols. These systems can have many benefits and these protocols can also be useful for novel forms of contracts and electronic attestation, useful aids when legal infrastructure are not readily available. As to the protection of privacy related to payments, it is a common misconception that the cryptographic techniques that are used in Bitcoin ensure anonymous payments. Technically, however, the only protection offered by Bitcoin is pseudonimity.^[4]

The availability of metadata, i.e. the information relating to a user’s information and communications behavior, can pose a particular threat to users. By metadata in this context we refer to information that service providers can observe through the provisioning of services: when, how frequently, how long, and with whom users are communicating.Metadata can also be used to track people geographically and can interfere with their ability to communicate anonymously. As noted by the Berkman Center report, metadata is generally not encrypted in ways that make it inaccessible for governments, and accordingly “provides an enormous amount of surveillance data that was unavailable before [internet communication technologies] became widespread.”^[5] In order to minimize exposure of meaningful metadata, encryption tools may need to be used in combination with technologies that provide communication anonymity.The Onion Router, most commonly known as Tor, offers the ability to access websites and online services anonymously. Tor requires a community of volunteers to run intermediary proxies which channel a user’s communication with a website so that third parties cannot observe who the user is communicating with. Through the use of encryption, each proxy is only aware of part of the communication path meaning that none of the proxies can by itself infer both the user and the website she is visiting. Besides protecting anonymity, Tor is also useful when the user’s ISP blocks access to content.This is similar as the protection that can be offered by a VPN. On the other hand, service providers, such as websites, can block connections that come from the Tor network. Because certain malicious traffic may reach service providers as Tor traffic and because Tor traffic may also interfere with the business models, service providers may have an incentive to do so. This interference can prevent users from using the most effective means to protect their anonymity online. The Tor browser allows users to obfuscate the origin and end-points of their communications when they communicate on the internet.

Here, obfuscation refers to the automated generation of “fake” signals that are indistinguishable from users’ actual online activities, providing users with a noisy “cover” under which their real information and communication behavior remains unobservable. Obfuscation has received more attention as a method to protect users online recently.60 TrackMeNot is an obfuscation tool for search engine users: the plugin sends fake search queries to the search engine, affecting the ability of the search engine provider to build an accurate profile of the user. Although TrackMeNot and other search obfuscation tools have been found to be vulnerable to certain attacks that allow search engines to distinguish between user-generated and computer-generated queries, further advances in obfuscation are likely to play a positive role in protecting users when disclosure of information is inevitable, as in the case of search or location-based services.

 This article incorporates text from a free content work. Licensed under CC BY SA 3.0 IGO (license statement/permission). Text taken from Human rights and encryption​, 14-59, Wolfgang Schulz, Joris van Hoboken, UNESCO. https://en.unesco.org/unesco-series-on-internet-freedom.