On Wednesday, Special Rapporteur on freedom of opinion and expression David Kaye will present his report on international legal protection for encryption and anonymity to the United Nations Human Rights Council. The report is an important contribution to the security conversation at a time when some Western leaders are calling for ill-informed and impossible loopholes in technology--a trend that facilitates surveillance and tends to enable states that openly seek to repress journalists.
Ethiopia, which aggressively prosecuted a group known as the "Zone 9" bloggers for participating in email encryption training, is one such state. Authorities there jail more journalists than any other country in Africa, other than Eritrea, and it is the fourth most censored country in the world, according to CPJ research. The Ethiopian government is suspected of conducting widespread surveillance inside the county and of hacking the computers of journalists living overseas.
"In a country like Ethiopia where journalists are consistently watched, [we] need to protect their communications and their data to do reports on sensitive issues," Endalkachew H/Michael, one of the co-founders of Zone 9, told CPJ by email. "If a journalist cannot protect her communication with her sources, she cannot practice journalism."
Michael, who left Ethiopia to study for his doctorate in media studies at the University of Oregon, added: "I believe encryption is a lifeblood for freedom of expression."
In his report, Kaye urged states to promote strong encryption and anonymity through legislation and regulation. The report recommended eschewing restrictions on encryption and anonymity "which facilitate and often enable the rights to freedom of opinion and expression." Kaye said measures by states that weaken security online posed a "serious threat" to freedom of expression, and suggested that some common state practices and proposals were in violation of international law. The report described blanket measures such as encryption backdoors, weak encryption standards, and the holding of encryption keys in escrow as deeply problematic, and concluded that "measures that impose generally applicable restrictions on massive numbers of persons, without a case-by-case assessment," are almost certainly illegal.
In order to satisfy international proportionality principles, the report said, forced decryption by governments must be made on a case-by-case basis, constrained by law, and subject to judicial warrant.
The report went further, acknowledging that state regulation of encryption can be "tantamount to a ban[.]" It condemned the regulatory practices of countries including Pakistan, Cuba, and Ethiopia, noting that they interfered with the right of individuals to encrypt communication. The report supported anonymous and pseudonymous speech, and denounced rules that require users to identify themselves as a precondition to communication. Finally, it urged privately owned companies to refrain from blocking or limiting encrypted communication and to permit anonymous communication.
Why encryption by default is necessary
Kaye's recommendations get to the core of why encryption by default is so necessary. He has brushed aside technically impossible rhetoric and dismissed false legal narratives that serve to reinforce the power of states to censor, surveil and harass journalists.
Under international law, state action that restricts freedom of expression must meet an exacting legal test. First, any limitations must be provided for by law. Second, they must be imposed on legitimate grounds. Third, they must be necessary and proportionate. As enablers of the right to freedom of expression, any restrictions on encryption or anonymity must conform to the same standards, Kaye argues in his report. And that means restrictions on encryption or anonymity are especially likely to fail the third prong because "blanket prohibitions fail to be necessary and proportionate."
Like the right to freedom of expression, encryption and anonymity also enable individuals to form and hold opinions. Unlike freedom of expression the right to hold opinions is absolute--a key distinction Kaye identified as an independent but related basis for protecting privacy-enhancing tools.
Kaye told CPJ that technology was generating new threats to which existing legal principles must apply, adding, "How can a person develop opinions about the world without access to receive information, especially online?"
An attorney, Kaye is realistic about the limits of law for regulating government behavior. As he notes in his report, many states have explicit protection for journalist-source communication. Nonetheless, "States often breach source anonymity in practice, even where it is provided for in law." His report emphasized the need for journalists and others to have the freedom to protect themselves, an astute argument given the borderless nature of the Internet.
For Ali Nikouei, an Iranian blogger who said he was forced to flee, the need for protection is a stark reality. "A journalist [or] an activist who wants to, for example, organize a protest, who wants to have a connection with a news agency outside of Iran ... they have problems," Nikouei told CPJ at the Circumvention Tech Festival in Valencia, Spain, in March. Nikouei, who said he was arrested and held for three months in Iran in 2009, added: "The government is listening to their conversations. The government does everything it can."
Kaye's report gives further momentum to CPJ's vital work. We are engaged with the U.N., the American government, companies, and newsrooms to help make encryption by default a reality in 2015-- a shift that would protect journalists, sources, readers, and other end-users automatically. CPJ converted its site to HTTPs-only earlier this year, which helped us successfully advocate for security improvements at institutions such as Knight Media Lab at Northwestern University and investigative journalism nonprofit ProPublica. Additionally, CPJ will host a technology summit in San Francisco this week to press for the uniform adoption of security best practices in newsrooms.
The momentum for enhanced security is building. The Let's Encrypt project aims to provide free, automated, and open HTTPS certificates to the public within several months. On June 12, Wikipedia announced that its site would convert to HTTPS by default, a process in which the international blogging network Global Voices is also engaged, and which The New York Times is exploring. And, at the same time that it was pressuring Apple and other tech companies to build backdoors into their devices, the U.S. government announced on June 8 that it would move to HTTPS-only for all publicly accessible federal websites and Web services.
To Kaye, the link between press freedom and technology is clear. "[G]overnments are using a variety of technologies and approaches either for mass surveillance or for targeted attacks on and surveillance of activists, journalists, civil society organizations, and others, and some [governments] use technology to block access to information," Kaye told CPJ by email. "Individuals use tools like encryption and anonymizing platforms to protect themselves and their privacy or legitimately gain access to information."
He added: "Those tools need to be protected to allow exercise of fundamental rights to opinion and expression. Restricting these tools restricts exercise of the rights."
Kaye's report drew on submissions from states and civil society organizations -- including a joint letter submitted by CPJ and the Reporters Committee for Freedom of the Press, which can be read here.