Encryption is essential to protecting a variety of human rights, and nation-states should avoid all measures to weaken it, according to a report released today by the United Nations Human Rights Council.
The document, written by UN Special Rapporteur David Kaye, was based upon questionnaire responses submitted by 16 States, opinions submitted by 30 non-government stakeholders, and statements made at a meeting of experts in Geneva in March.
According to the report, encryption and anonymity tools (like VPNs, proxies, and onion routing) are both necessary to ensuring individuals' privacy, freedom of opinion, freedom of expression, and freedom to seek, receive, and impart information and ideas. All of these rights are protected under and described by the UN's International Covenant on Civil and Political Rights, to which 168 states are party, and the UN Universal Declaration on Human Rights.
Yet, law enforcement and intelligence agencies in a variety of countries, including the United States, are trying to institute restrictions on encryption, arguing that it jeopardizes their efforts to protect national security and bring criminals to justice.
[Although law enforcement is asking for "indulgence on the subject of encryption," cloud providers, mobile device manufacturers, and lawmakers aren't ready to oblige. See "Law Enforcement Finding Few Allies on Encryption."]
According to the UN's report, "States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows."
It even goes so far as to suggest "States should promote strong encryption and anonymity" [emphasis added].
Some of the reasons it's so important:
The report points out that while freedom of expression gets plenty of attention, greater attention must be paid to freedom of ideas, because "the mechanics of holding opinions have evolved in the digital age and exposed individuals to significant vulnerabilities."
Whereas ideas might once have just been stored in one's mind or jotted down in a bedside diary or private letters, now ideas are scattered around places like browser histories, e-mail archives, and mandatory surveys on web registration pages. Ideas thus become concrete, instead of abstract, which changes the scope of surveillance, criminalization, harassment, and defamation that can happen in relation to opinions.
Encryption and anonymity technology could help individuals protect their rights; and by proxy, help the nations that are obligated to help them protect those rights. The International Covenant on Civil and Political Rights not only protects individuals against "arbitrary or unlawful interference with his or her privacy ... or correspondence" and "unlawful attacks on his or her honour and reputation," it also states that “everyone has the right to the protection of the law against such interference or attacks.”
"Such protection must include the right to a remedy for a violation," the report states. "In order for the right to a remedy to be meaningful, individuals must be given notice of any compromise of their privacy through, for instance, weakened encryption or compelled disclosure of user data."
The report also points out that some countries base their censorship efforts on keyword searches, and that encryption enables individuals to avoid that kind of filtering.
"The trend lines regarding security and privacy online are deeply worrying," the report says. "States often fail to provide public justification to support restrictions. Encrypted and anonymous communications may frustrate law enforcement and counter-terrorism officials, and they complicate surveillance, but State authorities have not generally identified situations — even in general terms, given the potential need for confidentiality — where a restriction has been necessary to achieve a legitimate goal. States downplay the value of traditional non-digital tools in law enforcement and counter-terrorism efforts, including transnational cooperation ...
"Efforts to restrict encryption and anonymity also tend to be quick reactions to terrorism, even when the attackers themselves are not alleged to have used encryption or anonymity to plan or carry out an attack."
The UN Human Rights Council, in the report, advises against any restrictions on encryption and anonymity technologies, but acknowledges that if restrictions must happen, they meet several requirements:
Any restriction must be "precise, public, transparent and avoid providing State authorities with unbounded discretion to apply the limitation." Limitations must only be justified to protect specified interests. States must prove any restriction is "necessary" to achieve and legitimate objective, and release that restriction as soon as that objective is complete. By "necessary," the report means that the restriction must be the least intrusive measure available and proportional to the severity of the objective.