Today, the UN Special Rapporteur on freedom of expression published a research paper assessing trends in State regulation of encryption and digital privacy and security practices in the Information and Communications Technology (“ICT”) sector. This paper is a follow-up to his landmark 2015 report to the Human Rights Council, which examined the need for robust protection of encryption and anonymity to safeguard freedom of expression in the digital age. The trend lines are stark: governments worldwide are establishing increasingly punitive restrictions on encryption tools, going as far as to ban or criminalize their use. While there are encouraging signs that the private sector is taking the need to provide encryption more seriously, the lack of concomitant State protections is likely to jeopardize the privacy and security of end users.
As the Special Rapporteur observed in 2015, encryption establishes a “zone of privacy” that enables the exercise of freedom of opinion and expression free from arbitrary interference and unlawful attacks. In the Internet of Things era, encryption is not only integral to the privacy and security of our communications and transactions, but also to the safety and security of our homes, where smart devices are proliferating. States should not only ensure that interferences with encryption comply with the requirements of legality, necessity and proportionality under international human rights law – they should also establish affirmative protections that promote its use, particularly among activists, artists, journalists and human rights defenders.
Despite the mounting importance of encryption in our daily lives, States have moved aggressively in recent years to interfere with its use. Among the most alarming developments are State demands to compel backdoor access to cell phones and other devices that are otherwise encrypted. As many digital security experts have pointed out, anyone with sufficient technical capability may exploit such backdoors, rendering all users vulnerable to hacking and other nefarious activity. Another alarming trend is the adoption of broad and deliberately vague hacking mandates, which may give law enforcement and intelligence agencies the authority to weaken encryption and undermine digital security with impunity.
Even as governments escalate their crackdown on encryption, the private sector has in recent years demonstrated willingness to ensure robust protection for the digital security and privacy of end users. For example, major Internet companies have integrated end-to-end encryption into their messaging platforms as a default security setting, or at least provided it as an optional setting. The Special Rapporteur encourages messaging platforms to adopt end-to-end encryption as a matter of default, and to conduct human rights due diligence and other appropriate action to ensure the best possible privacy and security protections for end users.
The same goes for Internet service providers (“ISPs”) and smart device manufacturers, the other two industries studied in the paper. ISPs routinely transmit and handle encrypted traffic, while device manufacturers develop cell phones, laptops and smart devices that require strong data protection. Both would do well to continually evaluate their responsibility to safeguard the privacy, security and related human rights of end users.