UN Report on Encryption and Anonymity: What You Should Know

by Jenny Shore

This week, David Kaye, the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, will present his first annual report, dealing with encryption technologies, to the Human Rights Council. The report, which generally has been highly regarded by advocacy groups – the EFF called it groundbreaking and Article 19 called it an “important milestone – outlines the role strong encryption and anonymity plays in exercising freedom of expression, while establishing a mandate for states to protect encryption within the human rights framework. The report makes its case by establishing the societal importance of strong encryption, justifying limitations on government interference with encryption, and laying out three major principles for limiting these interferences.

States Must Allow for Strong Encryption

Specifically, it makes the case that “secure online communication” as facilitated by encryption and anonymity technologies is protected by rights to privacy and freedom of expression and that, therefore, states should both “promote” and “not restrict” strong encryption. Importantly, the report mandates that:

"National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. Legislation and regulations protecting human rights defenders and journalists should also include provisions enabling access and providing support to use the technologies to secure their communications."

While bad actors benefit from strong encryption, it disproportionately benefits everyone else

The report is significant in its challenge to the dominant government narrative regarding encryption. Governments typically make a twofold case against strong encryption technologies. First, encryption is where “criminals and terrorists” carry out illegal activity. As such, while encryption in general is okay, technology companies should provide governments with backdoors and weak encryption to help them track down the bad guys.

The report challenges this argument first by recognizing the importance of encryption and anonymity both to the individual and society:

"A common human desire to protect one’s identity from the crowd, anonymity may liberate a user to explore and impart ideas and opinions more than she would using her actual identity…The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality."

Further, while the report acknowledges that bad actors can use encryption, it notes that this is a mere mapping of their offline activity onto virtual space: “The ‘dark’ side of encryption and anonymity is a reflection of the fact that wrongdoing offline takes place online as well.” Instead, the report makes the case that harm stemming from use of encryption and anonymity tools by bad actors is outweighed by the multitude of positive uses by everyone else, including “journalists, civil society organizations, members of ethnic or religious groups, those persecuted because of their sexual orientation or gender identity, activists, scholars, artists and others.”

State interference with encryption should be limited by legal procedures, public support, and necessity

Recognizing the “seemingly universal position among technologists” that it is virtually impossible to weaken encryption on behalf of law enforcement efforts without damaging “everyone’s security” in the process, the report supports limited conditions for States to interfere with encryption -- with three major conditions. First, state interference with encryption should support a “specified” matter of public welfare, narrowly construed; second, it should be “provided for by law” and consistent with public support; and third, it should be shown to be “necessary,” including as it meets a “proportionality” standard (meaning that this measure is the only option available to the government). While the report does not unconditionally oppose backdoors and key escrows or outright legal bans on encryption use, it notes that it likely will not be possible to meet the three criteria outlined above in justifying their use.