Encryption and Anonymity on the Internet
Module 4: Privacy and Security Online
The interplay between encryption and anonymity
Encryption and anonymity are necessary tools for the full enjoyment of digital rights and enjoy protection by virtue of their critical role in securing the rights to freedom of expression and privacy. As described by the United Nations Special Rapporteur (UNSR) on Freedom of Expression:(1)
“Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality. Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also society that does not tolerate unconventional opinions or expression.”
Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where a person fears that their communications may be subject to interference or attack by state or non-state actors. These are, therefore, specific tools through which individuals may exercise their rights. Accordingly, restrictions on encryption and anonymity must meet the three-part test to justify the restriction.
According to the UNSR on Freedom of Expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public justification to support any relevant restrictions or to identify situations where the restriction has been necessary to achieve a legitimate goal.(2) The UNSR on Freedom of Expression has therefore called on states to promote strong encryption and anonymity and noted that decryption orders should only be permissible when they result from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights.(3)
Encryption
Encryption refers to a mathematical process of converting messages, information or data into a form unreadable by anyone except the intended recipient, which in doing so protects the confidentiality and integrity of content against third-party access or manipulation.(4) With “public key encryption” – the dominant form of end-to-end security for data in transit – the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses her or his own private key to decrypt them.(5) It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or hard drive.(6)
Outright prohibitions on the individual use of encryption technology disproportionately restrict the right to freedom of expression as it deprives all online users in a particular jurisdiction of the right to carve out a safe space for opinion and expression.(7) Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences for encryption use, setting weak technical standards for encryption or controlling the import and export of encryption tools.(8)
Requirements for cryptography providers in terms of the Electronic Communications and Transactions Act, 2002
Chapter V of the South African Electronic Communications and Transactions Act, 2002 (ECTA) sets out the requirements for cryptography providers. Section 29 of ECTA provides for the establishment and maintenance of a register of cryptography providers, as well as the particulars that must be recorded in the register, including the name and address of the cryptography provider, as well as a description of the type of cryptography service or product being provided. Section 29(3) provides that a cryptography provider “is not required to disclose confidential information or trade secrets in respect of its cryptography products or services.”
It should further be noted that some states have implemented – or proposed implementing – so-called ‘back door access’ in commercially available products, forcing developers to install weaknesses that allow government authorities access to encrypted communications. While the states supporting such measures typically claim that such a framework is necessary to intercept the content of encrypted communications, the UNSR on Freedom of Expression notes that such states have failed to demonstrate that criminal or terrorist use of encryption serves an insuperable barrier to law enforcement objectives.(9) Creating an intentional mechanism to allow a state to bypass security measures would inevitably undermine the security of all users online, with respect to both state and non-state actors.(10)
Further, there is a key role for encryption to play in data protection. It has been noted that companies can reduce both the probability and the harm of a data breach, and thus reduce the risk of fines in the future if they choose to encrypt any personal data in their possession.(11)
Encryption and the GDPR
The GDPR, and many of the data protection laws which follow its model, place responsibility on data controllers and processors to ensure adequate security and protection when processing personal data, which speaks to the role of encryption in data protection. As outlined in an industry advisory:
“The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs and the nature, scope, context and purposes of the processing. In addition to these criteria, one always has to consider the severity of the risks to the rights and freedoms of the data subject and how likely those risks could manifest. This basically boils down to the following: The higher the risks involved in the data processing and the more likely these are to manifest, the stronger the taken security measures have to be and the more measures must be taken. Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of Art. 32(1) of the GDPR, which is not exhaustive. Again, the GDPR does not mention explicit encryption methods to accommodate for the fast-paced technological progress.”
Encryption of personal data has additional benefits for controllers or processors; for example, the loss of a state of the art encrypted mobile storage medium which holds personal data may not necessarily be considered a data breach that must be reported to the DPA.(12) In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per article 83(2)(c) of the GDPR.(13)
In 2018, the DPAs of the EU, represented in the Article 29 Working Party (WP29), published a statement framing strong and efficient encryption as a vital tool for upholding data protection and privacy rights(14) noting three key points:
- Strong encryption ensures a secure, free flow of data between citizens, businesses and governments: The WP29 noted that there is a strong public interest in the implementation of encryption, as it is crucial to ensure a reasonable guarantee that everyday activities – like buying goods online, filing taxes, using banking services, sending or receiving emails or making an appointment with a physician – can be done securely. The WP29 described encryption as “absolutely necessary and irreplaceable for guaranteeing strong confidentiality and integrity when data are transferred across open networks like the Internet or stored in mobile devices like smartphones”. According to the WP29, encryption should ideally always cover the entire communication, from the device of the sender to that of the recipient, commonly referred to as end-to-end-encryption.
- Backdoors and master keys deprive encryption of its utility: The WP29 countered the argument that law enforcement should be able to access the encrypted data of suspected criminals by requiring technology providers to implement ‘back doors’ (i.e. security vulnerabilities deliberately built into a particular software) or ‘master keys’ (i.e. design features to enable the central decryption of all data encrypted with specific software) in encryption software. The WP29 argued that there is significant historical evidence that master keys and backdoors cannot be kept secure and that there is no way for these technological features to be implemented at any scale without significant risks of compromising people’s security. The WP29 also raises concerns that imposing backdoors and master keys on the general population would not be an effective measure against criminals, as criminals would use or adapt to the state-of-the-art encryption to protect their data, which in turn would only harm ‘the honest citizen’ by making their data vulnerable.
- Law enforcement agencies already have legal powers and targeted tools to address the challenge of encryption: According to the WP29, law enforcement agencies can be legally empowered in other ways to obtain access to data otherwise encrypted, including personal data, for investigations in targeted circumstances. While these powers may raise serious privacy concerns in themselves, the WP29 argues that they appear more proportionate and less dangerous than backdoors or master keys.
Based on the above, the WP29 concluded that encryption must remain standardised, strong and efficient, and encryption providers should never be compelled to include master keys and backdoors in their software.
Advice on how to implement encryption
The ICO recommends the following measures when implementing encryption:
- When implementing encryption, it is important to consider four things: choosing the right algorithm, choosing the right key size, choosing the right software, and keeping the key secure.
- Over time, vulnerabilities may be discovered in encryption algorithms that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
- It is important to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the data. You should therefore assess whether your key sizes remain appropriate.
- The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards, such as FIPS 140-2 and FIPS 197.
- Advice on appropriate encryption solutions is available from a number of organisations.
Anonymity
In digital contexts, anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, as acting or communicating in a way that protects the determination of one’s name or identity, or using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity(15) Anonymity may be distinguished from pseudo-anonymity: the former refers to taking no name at all, while the latter refers to taking an assumed name.(16)
Anonymity has been recognised for the important role it plays in safeguarding and advancing privacy, free expression, political accountability, public participation and debate. As explained by the American Civil Liberties Union (ACLU):(17)
“The right to remain anonymous is a fundamental component of our right to free speech, and it applies every bit as much in the digital world as it does in the physical one. In the words of the U.S. Supreme Court in McIntyre v. Ohio Elections Commission, “Anonymity is a shield from the tyranny of the majority.”
Unfortunately, the right to remain anonymous has been under steady attack in the online world. Governments and corporations have attempted to unmask unpopular speakers through subpoenas directed at the websites they visit.”
Anonymity is especially critical in repressive environments in which certain types of protected expression are outlawed, and lack of anonymity could lead to criminal charges or other consequences.(18) Attempts to ban anonymous speech have particularly been seen during times of protest as a measure aimed at protestors and activists.(19)
Intermediary liability is again of concern in relation to anonymous users, as some states have moved towards imposing responsibilities on internet service providers (ISPs) and media platforms to regulate online comments by anonymous users. For instance, in Delfi v Estonia, the ECtHR upheld an Estonian law that imposes liability on a media platform for anonymous defamatory statements posted on its site.(20) However, the ECtHR has also upheld that, while there is no absolute guarantee of online anonymity, the right of freedom of expression should be taken into consideration in decisions to revoke anonymity. This informed the ECtHR’s 2021 finding that an Austrian news site should not have been forced to disclose the identity of online commenters who had posted offensive and hateful messages to the platform.(21) In its third-party submissions in that case, Media Defence had previously argued that a court should only order an ISP to disclose user data where:(22)
- An applicant is able to demonstrate to a sufficient degree that a wrongful act has been committed against them, and that the information is sought to enable them to seek redress for that wrongful act;
- The anonymous user has been notified, and has had an opportunity to respond to the application;
- There is no less restrictive means of obtaining the information sought; and
- The applicant’s interest in disclosure has been sufficiently balanced against the rights to freedom of expression and privacy.