First published in Thomson Reuters Foundation News.
Outrage over China’s blocking of Signal should be harnessed to defend the rights to encryption globally.
Recently, Signal joined the ranks of foreign technologies blocked in China. The end-to-end encrypted messaging application is now only accessible through a virtual private network (VPN), which allows users to circumvent the Great Firewall and surf the web through encrypted tunnels.
VPN use in China is itself all but criminalized under a host of laws and policies. This includes the 2017 Cybersecurity Law and notice from the Ministry of Industry and Information Technology (MIIT) to “clean up the internet,” part of a targeted campaign under Xi Jinping and his push for “Internet Sovereignty.”
This has been accomplished, sadly, with support from foreign technology firms as well. Since 2017, for example, Apple has removed VPNs from its online store for anyone with a Chinese Apple ID, regardless of where in the world they are logging onto the internet. VPN use has carried disproportionate prison sentences.
News of the encrypted messaging application’s blockage in China piqued global concern, rightly expressing outrage at the ongoing assault on freedom of expression and access to information in China, and deteriorating ability of people to exist securely online.
Around the world, people rely on encryption for online security, such as to access banking websites, handle medical data, or submit online ballots, to engage safely with their peers free of persecution because of their sexual orientation, ethnic or religious minority status, or because they are human rights defenders, whistleblowers, or journalists.
Outrage over China’s latest act of censorship should be harnessed in defense of the rights to encryption everywhere.
The war on encryption
In the United States, the fight over encryption generated considerable popular attention in the wake of the 2015 San Bernardino shooting and efforts by the FBI to force Apple to create backdoor access to the encrypted mobile device of one of the shooters.
Under the Trump administration, pressure on companies to weaken encryption protection for law enforcement increased and it isn’t clear what direction the new Biden administration will take. Although, the 1994 Communications Assistance for Law Enforcement Act (CALEA), and others, in theory still offer a degree of protection for encryption.
The United Kingdom, through the 2016 Investigatory Powers Act, can in principle compel providers to remove select electronic protections for communication data. Australia has the 2018 Assistance and Access Act, which puts pressure on technology and service providers to build in accessibility.
India is also in the process of major information technology law changes that threaten encryption and a range of other rights online.
Germany has taken a slightly different approach. Rather than a stricter focus on regulations, Germany has moved forward with plans to establish a “lawful hacking” unit for getting around encryption.
Such efforts to disrupt encryption through laws or technologies may seem an acceptable tradeoff for law enforcement in countries with more functioning rule of law but from a privacy rights perspective an attack on encryption anywhere is an attack on encryption everywhere.
In defense of encryption
The rights to freedom of expression and privacy are enshrined in the International Covenant on Civil and Political Rights (ICCPR), and although a right to encryption has not been explicitly recognized it is essential for the exercise of fundamental human rights.
Encryption can be the difference between life and death, freedom or detention and abuse.
Admittedly, there is also a dark side to online anonymity and encrypted communications, from the communications of terrorists to the online incitement of violence against marginalized communities. However, addressing such harms must be case by case, prescribed by law, in pursuit of a legitimate aim, and necessary and proportionate to that aim.
Governments should champion laws and policies that promote and protect the right to privacy and freedom of expression. This should include laws that recognize and protect an individual’s right to privacy through encryption technologies. Such legal protections, arguably, should be even stricter for human rights defenders and journalists. The rules and technologies that enable end-to-end encryption should also be extended to cover metadata.
At the same time, efforts to weaken encryption technologies such as through backdoors or related policies must be avoided. Other policies that weaken privacy rights, such as requirements for national ID or biometric registration of SIM cards or other real-name registrations for online connectivity, should also be avoided.
Technology companies should resist pressure to weaken the encryption standards of their services and acknowledge expectations under the UN Guiding Principles on Business and Human Rights to mitigate the potential human rights impact of their business activities.
Funding should be increased to foundations that provide grants to research and develop new technologies, especially open source, for encrypted storage and communication. One example is the US-based Open Technology Fund which to date has provided nearly 3 million dollars in funding to Open Whisper Systems, behind the Signal messaging application. Support should also be increased for cross-disciplinary research, workshops, and co-design.