Encryption

Updates

26 Oct 2016 | Amnesty International ranks tech companies on encryption and human rights to protect users’ privacy online

New Amnesty International report “For your eyes only? Ranking technology companies on encryption and human rights” assesses the security of companies with the most popular messaging apps. Amnesty International requested information from 11 technology companies about their current encryption standards and details of policies and practices in place to protect users’ privacy and freedom of expression on their messaging apps. Eight companies responded, while Blackberry, Google and Tencent did not. ‘Message Privacy Ranking’ ranks technology companies on a scale of 1 to 100 based on how well they: recognize online threats to their users’ privacy and freedom of expression; apply end-to-end encryption as a default; make users aware of threats to their rights, and the level of encryption in place; disclose details of government requests to the company for user data, and how they respond; publish technical details of their encryption systems. It is highlighted the ranking does not assess the security of the apps and should not be seen as an endorsement for journalists, activists, human rights defenders or others at risk. The ranking did not assess the companies’ overall human rights performance or their approach to privacy across all their services.

5 Oct 2016 | Facebook introduces opt-in encryption for Messenger chats

Facebook has launched ‘secret conversations’ for its Messenger application, allowing users to opt in for encrypted end-to-end conversations. In addition, both parties in a secret conversation have a device key that they can compare to verify that the messages are end-to-end encrypted. The feature also allows users to set messages to self-destruct anywhere between five seconds to one day. The use of this feature is explained by Facebook on a support page, where it is noted that secret conversations are currently only available in the Messenger app on iOS and Android (therefore not appearing on Facebook chat or messenger.com).

1 Oct 2016 | Stronger encryption key for the Internet DNS presented by VeriSign

On 1 October, VeriSign, the administrator of the Internet root zone, successfully presented the renewed encryption key - known as Zone Signing Key (ZSK) - for the Internet root zone. This follows the envisaged plan and timeline for increasing the strength of the signing key for the root zone, used for the DNSSec - a DNS protocol extension which ensures authentication for the domain name servers. The new key uses the 2048-bit RSA encryption, and is way stronger than the half-length 1024-bit key used previously. This transition, conducted by VeriSign in cooperation with ICANN, IANA and the US NTIA, ensures the more secure root zone, and is a beginning of a rollover of the more secured keys for all the Internet domains in the next months. It is expected that the next rollover could occur in 2022.

Pages

Encryption refers to the scrambling of electronic documents and communication into an unreadable format which can be read only through the use of encryption software. Traditionally, governments were the only players who had the power and the know-how to develop and deploy powerful encryption in their military and diplomatic communications. With user-friendly packages, encryption has become affordable for any Internet users, including criminals and terrorists. This triggered many governance issues related to finding the right balance between the need to respect privacy of communication of Internet users and the need for governments to monitor some types of communication of relevance for the national security (potential criminal and terrorist activity remains an issue).

 

 

International regimes for encryption tools

The international aspects of encryption policy are relevant to the discussion of Internet governance inasmuch as its regulation should be global, or at least, involve those countries capable of producing encryption tools. For example, the US policy of export control of encryption software was not very successful because it could not control international distribution. US software companies initiated a strong lobbying campaign arguing that export controls do not increase national security, but rather undermine US business interests.

Encryption has been tackled in two contexts: the Wassenaar Arrangement and the OECD. The Wassenaar Arrangement is an international regime adopted by 41 countries to restrict the export of conventional weapons and ‘dual use’ technologies to countries at war or considered to be ‘pariah states’. The arrangement established a secretariat in Vienna. US lobbying, with the Wassenaar Group, aimed at extending the Clipper Approach internationally, by controlling encryption software through a key escrow. This was resisted by many countries, especially Japan and the Scandinavian countries.

A compromise was reached in 1998 through the introduction of cryptography guidelines, which included dual-use control list hardware and software cryptography products above 56 bits. This extension included Internet tools, such as Web browsers and e-mail. It is interesting to note that this arrangement does not cover ‘intangible’ transfers, such as downloading. The failure to introduce an international version of Clipper contributed to the withdrawal of this proposal internally in the USA itself. In this example of the link between national and international arenas, international developments had a decisive impact on national ones.

The OECD is another forum for international cooperation. Although the OECD does not produce legally binding documents, its guidelines on various issues are highly respected. They are the result of an expert approach and a consensus-based decision-making process. Most of its guidelines are eventually incorporated into national laws. The question of encryption was a highly controversial topic in OECD activities. It was initiated in 1996 with a US proposal for the adoption of a key escrow as an international standard. Similar to Wassenaar, negotiations on the US proposal to adopt a key escrow with international standards were strongly opposed by Japan and the Scandinavian countries. The result was a compromise specification of the main policy elements.

A few attempts to develop an international regime, mainly within the context of the Wassenaar Arrangement, did not result in the development of an effective international regime. It is still possible to obtain powerful software on the Internet.

Encryption and human rights

In recent years, the Snowden revelations that disclosed the use of surveillance programs by the United States National Security Agency (NSA), subsequent revelations of surveillance carried out in various other countries, and a rise in cybercrime and terrorism, have placed encryption and human rights into sharper focus. The debate on an international regulatory framework for encryption has also shifted in the same direction.

The issues are various and complex. From a security standpoint, governments have reiterated the need to access encrypted data with the aim of preventing crime and ensuring public safety. Revelations have revealed backdoors into encrypted software and products, putting pressure on Internet and tech companies to allow governments access to data. From a human rights standpoint, the right to privacy and other human rights should be protected, and encryption tools – including pervasive encryption – are essential to protect privacy. The need for greater protection for encryption and anonymity was in fact highlighted in the UN Special Rapporteur's report (2015) to the Human Rights Council.

More recently, these arguments were vividly discussed and illustrated during the 10th IGF in Brazil in 2015, and the 11th IGF in Mexico in 2016. Various approaches were identified, including encryption by default, prohibition of backdoors (also due to the fact that backdoors could make encrypted files vulnerable to criminals), stronger data retention rules, and importantly, an international framework. The view that encryption (and anonymity) is inherently linked to security and economic prospects was also discussed in depth.

Events

Actors

(IETF)

The core mission of the IETF is to develop technical standards for the Internet, ranging from Internet protoco

...

The core mission of the IETF is to develop technical standards for the Internet, ranging from Internet protocols (e.g. IPv4 and IPv6) and the Domain Name System (e.g. aspects related to the functioning of Internationalised Domain Names), to routing systems and security issues. Areas of work covered by IETF working groups include applications (e.g. real time communication and audio/video transport), Internet protocols, operations and management (e.g. DNS operations, routing operations, network configuration), routing (e.g. inter-domain routing, tunneling protocol extensions), security and transport (e.g. authentication and authorisation, IP security maintenance and extensions, and transport layer security).

(ISO)

More and more standards and guidelines developed by ISO cover issues related to data and information security,

...

More and more standards and guidelines developed by ISO cover issues related to data and information security, and cybersecurity. One example is the 27000 family of standards, which cover aspects related to information security management systems and are used by organisations to keep information assets (e.g. financial data, intellectual property, employees’ information) secure. Standards 27031 and 27035, for example, are specifically designed to help organisations to effectively respond, diffuse and recover from cyber-attacks. Cybersecurity is also tackled in the framework of standards on technologies such as the Internet of Things, smart community infrastructures, medical devices, localisation and tracking systems, and future networks.

(ETSI)

ETSI develops standards related to various telecommunications infrastructures and technologies, including broa

...

ETSI develops standards related to various telecommunications infrastructures and technologies, including broadband cable access (such as integrated broadband cable and television networks), broadband wireless access (such as broadband radio access networks and white spaces technologies), grid and cloud computing networks, next generation networks (such as those dedicated to Internet of things technologies), digital mobile radio, and digital broadcasting networks. Specific technical committees focus on issues such as enabling broadband customers to achieve high connection speeds, facilitating the transition to Internet Protocol version 6 (IPv6), and ensuring energy efficiency in information and communication networks, among others.

(AI)

Encryption is ‘a matter of human rights’ according to AI’s public campaigns.

...

Encryption is ‘a matter of human rights’ according to AI’s public campaigns. In its first official stance on encryption and human rights, AI published a report in 2016 documenting the obligations and responsibilities of governments and companies to ensure the privacy and security of end-users. AI also released in 2016 a study ranking the most popular messaging applications according to their key policies and practices in relation to encryption.

(APC)

The Association for Progressive Communications regularly participates at the UN Human Rights Council,

...

The Association for Progressive Communications regularly participates at the UN Human Rights Council, to defend the freedom to use encryption technology and to communicate anonymously. One of APC’s strategic priorities for 2016-2019 is to ensure civil society actors and human rights defenders have the capacity to confidently use the Internet and ICTs, by means of privacy-enabling technologies.

(Berkman Klein Center)

The Berkman Klein Center for Internet and Society hosts a number of

...

The Berkman Klein Center for Internet and Society hosts a number of research projects related to encryption and cybersecurity. In 2016, Berkman Klein fellows published a worldwide survey of encryption products. The Berklett Cybersecurity Project of the Berkman Center also published in 2016 a report entitled 'Don’t Panic: Making Progress on the ‘Going Dark’ Debate', which examines the high-profile debate around government access to encryption.

Instruments

Conventions

Link to: Convention on Cybercrime (Budapest Convention) - Encryption in mutual legal assistance (2001)

Resolutions & Declarations

Universal Declaration of Human Rights (1948)

Standards

Request for Comments (RFC) dealing with Encryption (2015)

Recommendations

Other Instruments

Resources

Articles

Apple vs FBI: A Socratic Dialogue on Privacy and Security (2016)
Silicon Valley Should Join the War on Terrorism (2016)

Publications

Internet Governance Acronym Glossary (2015)
Securing Safe Spaces - Online Encryption, online anonymity, and human rights (2015)
An Introduction to Internet Governance (2014)

Papers

Expert and Non-Expert Attitudes towards (Secure) Instant Messaging (2016)
Analyzing HTTPS Encrypted Traffic to Identify User’s Operating System, Browser and Application (2016)
A Worldwide Survey of Encryption Products (2016)
On the Free Use of Cryptographic Tools for (Self)protection of EU Citizens (2016)

Reports

One Internet (2016)
Encryption: A Matter of Human Rights (2016)
Don't Panic: Making Progress on the "Going Dark" Debate (2016)
2016 Global Encryption Trends Study (2016)
Stocktaking, Analysis and Recommendations on the Protection of CIIs (2016)
The State of Encryption Today (2016)
The Global Risks Report 2016 (2016)
Freedom on the Net 2015 (2015)
OECD Digital Economy Outlook 2015 (2015)
Global Cybersecurity Index & Cyberwellness Profiles (2015)

GIP event reports

How Can Technological Solutions Advance Cybersecurity? (2017)

Other resources

WhatsApp Encryption Overview (2016)
Security for All: An Open Letter to the Leaders of the World's Governments (2016)
HTTPS on Top Sites
HTTPS at Google

Processes

During Encryption and Anonymity: Rights and Risks (WS 155), panellists discussed the pros and cons of legislation on encryption, and considered the implications of two jurisdictional cases on anonymity and encryption. While greater protection for encryption and anonymity online is required, encryption needs to be viewed as more closely related to security, rather than a purely economic issue.

 

Encryption was compared to antibiotics, in Law Enforcement in a World of Pervasive Encryption (WS 141): we do not know if they will work but we need to trust that they will. Pervasive encryption could become a reality within the next decade; more so if there is continued pressure in favour of encryption from various angles, even though admittedly, encryption poses a challenge to criminal investigations. A similar discussion took place during The Politics of Encryption (WS 53). Here too, a law enforcement agent explained why governments needed access to encrypted data and how it can be used to prevent crime and increase public safety.

In the same workshop, the UNESCO representative expressed the need for an international regulatory framework on encryption and set out the progress that was made at UNESCO during its General Conference. The UNESCO research project on Balancing privacy and transparency in the context of promoting online freedom of expression, which is expected to look at privacy, transparency, encryption, and related issues, will be finalised by the end of the year.

 

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top