Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

5/28/2015
06:15 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

UN Report Warns Encryption Backdoors Violate Human Rights

Report says States should be promoting strong encryption and anonymity tools, not restricting them.

Encryption is essential to protecting a variety of human rights, and nation-states should avoid all measures to weaken it, according to a report released today by the United Nations Human Rights Council.

The document, written by UN Special Rapporteur David Kaye, was based upon questionnaire responses submitted by 16 States, opinions submitted by 30 non-government stakeholders, and statements made at a meeting of experts in Geneva in March.

According to the report, encryption and anonymity tools (like VPNs, proxies, and onion routing) are both necessary to ensuring individuals' privacy, freedom of opinion, freedom of expression, and freedom to seek, receive, and impart information and ideas. All of these rights are protected under and described by the UN's International Covenant on Civil and Political Rights, to which 168 states are party, and the UN Universal Declaration on Human Rights.

Yet, law enforcement and intelligence agencies in a variety of countries, including the United States, are trying to institute restrictions on encryption, arguing that it jeopardizes their efforts to protect national security and bring criminals to justice. 

[Although law enforcement is asking for "indulgence on the subject of encryption," cloud providers, mobile device manufacturers, and lawmakers aren't ready to oblige. See "Law Enforcement Finding Few Allies on Encryption."]

According to the UN's report, "States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows."

It even goes so far as to suggest "States should promote strong encryption and anonymity" [emphasis added].

Some of the reasons it's so important:

The report points out that while freedom of expression gets plenty of attention, greater attention must be paid to freedom of ideas, because "the mechanics of holding opinions have evolved in the digital age and exposed individuals to significant vulnerabilities."

Whereas ideas might once have just been stored in one's mind or jotted down in a bedside diary or private letters, now ideas are scattered around places like browser histories, e-mail archives, and mandatory surveys on web registration pages. Ideas thus become concrete, instead of abstract, which changes the scope of surveillance, criminalization, harassment, and defamation that can happen in relation to opinions.

Encryption and anonymity technology could help individuals protect their rights; and by proxy, help the nations that are obligated to help them protect those rights. The International Covenant on Civil and Political Rights not only protects individuals against "arbitrary or unlawful interference with his or her privacy ... or correspondence" and "unlawful attacks on his or her honour and reputation," it also states that “everyone has the right to the protection of the law against such interference or attacks.”

"Such protection must include the right to a remedy for a violation," the report states. "In order for the right to a remedy to be meaningful, individuals must be given notice of any compromise of their privacy through, for instance, weakened encryption or compelled disclosure of user data."

The report also points out that some countries base their censorship efforts on keyword searches, and that encryption enables individuals to avoid that kind of filtering. 

"The trend lines regarding security and privacy online are deeply worrying," the report says. "States often fail to provide public justification to support restrictions. Encrypted and anonymous communications may frustrate law enforcement and counter-terrorism officials, and they complicate surveillance, but State authorities have not generally identified situations — even in general terms, given the potential need for confidentiality — where a restriction has been necessary to achieve a legitimate goal. States downplay the value of traditional non-digital tools in law enforcement and counter-terrorism efforts, including transnational cooperation  ...

"Efforts to restrict encryption and anonymity also tend to be quick reactions to terrorism, even when the attackers themselves are not alleged to have used encryption or anonymity to plan or carry out an attack."

The UN Human Rights Council, in the report, advises against any restrictions on encryption and anonymity technologies, but acknowledges that if restrictions must happen, they meet several requirements:

Any restriction must be "precise, public, transparent and avoid providing State authorities with unbounded discretion to apply the limitation." Limitations must only be justified to protect specified interests. States must prove any restriction is "necessary" to achieve and legitimate objective, and release that restriction as soon as that objective is complete. By "necessary," the report means that the restriction must be the least intrusive measure available and proportional to the severity of the objective. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/1/2015 | 11:58:48 PM
Re: Keys to the Kingdom
Well, major provisions of the PATRIOT Act have expired, at least.

For now.  The USA Freedom Act (hah) seems inevitable regardless, despite Rand Paul's efforts -- as national security hawks try to weaken the privacy protections in it.  :/
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2015 | 11:25:06 PM
Re: Keys to the Kingdom
I very much agree. We have always been trying to claw our way out of the snow and sending out rescue missions with little hope. But from those instances procedures are formulated to try and minimize risk for the next go around. Unfortunately, some need to be burned by the stove before they learn not to touch it.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:05:35 PM
Re: Keys to the Kingdom
I don't think it's a slippery slope; I think it's we've already fallen off the mountain beneath an avalanche.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:05:04 PM
Re: good luck
The funny thing about other countries' calls for more privacy in the wake of the Snowden revelations was that it came out that all those other countries do the same thing.  :p
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/29/2015 | 1:25:34 PM
Keys to the Kingdom
It seems that law enforcement is asking for keys to the kingdom. Allowing encryption to the point where data is visible to law enforcement seems like an invasion of privacy. This is a slippery slope.
Mark532010
50%
50%
Mark532010,
User Rank: Moderator
5/29/2015 | 11:12:51 AM
good luck
Good luck with that,it seems we are moving in the exact opposite direction.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27479
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users.
CVE-2021-27483
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
CVE-2021-27485
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser.
CVE-2021-31159
PUBLISHED: 2021-06-16
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
CVE-2021-31857
PUBLISHED: 2021-06-16
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.