Encryption and Anonymity on the Internet
Module 4: Privacy and Security Online
The interplay between encryption and anonymity
Encryption and anonymity are necessary tools for the full enjoyment of digital rights and enjoy protection by virtue of the critical role that they play in securing the rights to freedom of expression and privacy. As described by the United Nations Special Rapporteur (UNSR) on Freedom of Expression:(1)
“Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality. Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also society that does not tolerate unconventional opinions or expression.”
Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where persons may be concerned that their communications may be subject to interference or attack by state or non-state actors. These are therefore specific technologies through which individuals may exercise their rights. Accordingly, restrictions on encryption and anonymity must meet the three-part test to justify the restriction.
According to the UNSR on Freedom of Expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public justification to support the restriction or to identify situations where the restriction has been necessary to achieve a legitimate goal.(2) The UNSR on Freedom of Expression has therefore called on states to promote strong encryption and anonymity, and noted that decryption orders should only be permissible when it results from transparent and publicly-accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights of individuals.(3)
Encryption refers to a mathematical process of converting messages, information or data into a form unreadable by anyone except the intended recipient, and in doing so protects the confidentiality and integrity of content against third party access or manipulation.(4) With “public key encryption” – the dominant form of end-to-end security for data in transit – the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses her or his own private key to decrypt them.(5) It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or hard drive.(6)
Outright prohibitions on the individual use of encryption technology disproportionately restricts the right to freedom of expression as it deprives all online users in a particular jurisdiction of the right to carve out a space for opinion and expression, without any particular claim of the use of encryption being for unlawful ends.(7) Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences for encryption use, setting weak technical standards for encryption or controlling the import and export of encryption tools.(8)
Requirements for cryptography providers in terms of the Electronic Communications and Transactions Act, 2002
Chapter V of the South African Electronic Communications and Transactions Act, 2002 (ECTA) sets out the requirements for cryptography providers. Section 29 of ECTA provides for the establishment and maintenance of a register of cryptography providers, as well as the particulars that must be recorded in the register, including the name and address of the cryptography provider, as well as a description of the type of cryptography service or product being provided. Section 29(3) provides that a cryptography provider “is not required to disclose confidential information or trade secrets in respect of its cryptography products or services.”
It should further be noted that some states have implemented – or proposed implementing – so-called ‘back door access’ in commercially available products, forcing developers to install weaknesses that allow government authorities access to encrypted communications. While the states supporting such measures typically claim that a legal framework is necessary to intercept the content of encrypted communications, the UNSR on Freedom of Expression notes that such states have failed to demonstrate that criminal or terrorist use of encryption serves an insuperable barrier to law enforcement objectives.(9) Creating an intentional mechanism to allow state access would inevitably undermine the security of all users online.(10)
There is a key role for encryption to play in data protection. It has been noted that: “Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security and data encryption is suited, among other means, for these companies.”(11)
Encryption and the GDPR
Source: Intersoft Consulting, ‘GDPR: Encryption’, accessible at https://gdpr-info.eu/issues/encryption/
“The [GDPR] also recognizes these risks when processing personal data and places the responsibility on the controller and the processor in Art. 32(1) of the General Data Protection Regulation to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs and the nature, scope, context and purposes of the processing. In addition to these criteria, one always has to consider the severity of the risks to the rights and freedoms of the data subject and how likely those risks could manifest. This basically boils down to the following: The higher the risks involved in the data processing and the more likely these are to manifest, the stronger the taken security measures have to be and the more measures must be taken. Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of Art. 32(1) of the GDPR, which is not exhaustive. Again, the GDPR does not mention explicit encryption methods to accommodate for the fast-paced technological progress. When choosing a method one must also apply the criteria catalogue above. To answer the question of what is currently considered “state of the art” data protection officers usually rely on the definitions set out in information security standards like ISO/IEC 27001 or other national IT-security guidelines.”
Encryption of personal data has additional benefits for controllers or processors; for example, the loss of a state of the art encrypted mobile storage medium which holds personal data may not necessarily be considered a data breach that must be reported to the DPA.(12) In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per article 83(2)(c) of the GDPR.(13)
In April 2018, the DPAs of the EU, represented in the Article 29 Working Party (WP29), published a statement regarding encryption and its impact on the protection of individuals with regard to the processing of their personal data in the EU.(14) In the statement, the WP29 expressed the view that “the availability of strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens”.(15)
WP29 went on to note three key points:(16)
- Strong encryption is required to ensure a secure, free flow of data between citizens, businesses and governments: The WP29 noted that properly-implemented encryption using appropriate algorithms offers a reasonable guarantee that activities — like buying goods online, filing taxes, using banking services, sending or receiving emails or making an appointment with a physician — can be done securely. According to the WP29, without encryption, individuals’ privacy and security can be compromised every time they wish to undertake those everyday activities. It was noted further that the use of encryption techniques as a means of guaranteeing confidentiality and integrity of data and user authentication has become “an indispensable prerequisite for the normal functioning of these infrastructures and of the digital services offered over them, and is now used by many data controllers”. The WP29 described encryption as “absolutely necessary and irreplaceable for guaranteeing strong confidentiality and integrity when data are transferred across open networks like the Internet, or stored in mobile devices like smartphones”. According to the WP29, encryption should ideally always cover the entire communication, from the device of the sender to that of the recipient, commonly referred to as end-to-end-encryption. The WP29 also noted that there is a public interest in the implementation of encryption: “Securing personal data in transit and at rest is a cornerstone of the trust we all need for digital services, so as to enable innovation and growth for our digital economy.”
- Backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner: The WP29 noted the argument that, because encryption may be used to conceal criminal activities, some consider that the need for law enforcement to access the data of suspected criminals can be satisfied by implementing ‘back doors’ – i.e. vulnerabilities secretly implemented in a particular software by its developer – or ‘master keys’ – i.e. keys allowing the decryption of every message encrypted with specific software – in encryption software. However, as explained by the WP29, “the mathematical foundation of cryptology does not provide the basis for a secure backdoor, and numerous examples in history have shown that master keys and backdoors cannot be kept secure, even by major law enforcement agencies or by companies specialized in key management”. According to the WP29, because encryption software is used on a worldwide scale, this would require backdoors and master keys to be exchanged between law enforcement agencies on a worldwide scale, which would lead to their widespread dissemination and thus increase the risks of them being compromised. The WP29 also notes in this regard that: “Without strong and efficient encryption, data of citizens, businesses and governments are at risk. Given the importance of the security of everyday services – upon which our individual lives, businesses and governments increasingly rely – any decrease in the protection offered by encryption will lead to even greater damages than that which law enforcement access to encrypted data might aim to prevent.” The WP29 also raises concern that imposing backdoors and master keys on law-abiding citizens and organisations would not be an effective measure against criminals, as criminals would use or adapt to the state of the art encryption to protect their data, which in turn would only harm the honest citizen by making their data vulnerable.
- Law enforcement agencies already have a number of legal powers and targeted tools to address the challenge of encryption, allowing them to access the data they need to investigate and prosecute criminals: According to the WP29, law enforcement agencies can be legally empowered in other ways to obtain access to data otherwise encrypted, including personal data, for investigations in targeted circumstances. While these powers may raise serious privacy concerns in themselves, the WP29 argues that they appear more proportionate and less dangerous than backdoors or master keys.
Based on the above, the WP29 made the following findings and recommendations:
- The availability of strong and trusted encryption is a necessity in the modern digital world. Such technologies contribute in an irreplaceable way to our privacy and to the secure and safe functioning of our societies.
- Encryption must remain standardised, strong and efficient, which would no longer be the case if providers were compelled to include backdoors or provide master keys. Whatever the technical solution, it can never be safe to compel encryption providers to include master keys and backdoors in their software.
- Law enforcement agencies already have access to vast quantities of data via their existing powers. Such access must remain proportionate and targeted. They should focus on improving their capabilities to interpret that data to investigate and prosecute criminals.
Advice on how to implement encryption
Source: Information Commissioner’s Office (ICO), ‘Encryption’, accessible at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/encryption/
The ICO recommends the following measures when implementing encryption:
- When implementing encryption, it is important to consider four things: choosing the right algorithm, choosing the right key size, choosing the right software, and keeping the key secure.
- Over time, vulnerabilities may be discovered in encryption algorithms that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
- It is important to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the data. You should therefore assess whether your key sizes remain appropriate.
- The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards, such as FIPS 140-2 and FIPS 197.
- Advice on appropriate encryption solutions is available from a number of organisations.
You should also ensure that you keep your keys secure, and have processes in place to generate new keys when necessary to do so.
Encryption is a tool that can be used to contribute to one’s anonymity online. Anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, or as acting or communicating in a way that protects the determination of one’s name or identity, or using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity.(17) Anonymity may be distinguished from pseudo-anonymity: the former refers to taking no name at all, whilst the latter refers to taking an assumed name.(18)
Anonymity has been recognised for the important role it plays in safeguarding and advancing privacy, free expression, political accountability, public participation and debate. As explained by the American Civil Liberties Union (ACLU):(19)
“The right to remain anonymous is a fundamental component of our right to free speech, and it applies every bit as much in the digital world as it does in the physical one. In the words of the U.S. Supreme Court in McIntyre v. Ohio Elections Commission, “Anonymity is a shield from the tyranny of the majority.”
Unfortunately, the right to remain anonymous has been under steady attack in the online world. Governments and corporations have attempted to unmask unpopular speakers through subpoenas directed at the websites they visit.”
Anonymity as an enabler of fundamental rights
Source: Association for Progressive Communications (APC), ‘The right to freedom of expression and the use of encryption and anonymity in digital communications’, February 2015, accessible at https://www.apc.org/sites/default/files/APC%20submission%20to%20SR%20FOEX_20150211_0.pdf
“Anonymity is also inextricably linked to the right to privacy. An individual cannot have a reasonable expectation that his or her privacy is being protected without the ability to control what information is shared about them and how that information is used. Lack of privacy, or even perceived lack of privacy, is understood to have a chilling effect on freedom of expression, leading to self-censorship.
Additionally, anonymity is an important enabler of the right to freedom of association and assembly online and the right to be free from discrimination. The relative anonymity that the internet offers enables individuals and minority groups, among others, to associate on sensitive matters such as sexual orientation or religion. Anonymity provides an enabling environment for people to form relationships and seek support for problems that have a social stigma like drug addiction, illnesses such as HIV/AIDS, or sexual abuse. It also allows people to engage in online association based on identities or beliefs that are illegal in some countries, like LGBT groups, political opposition, or religious minorities”.
A number of courts have protected anonymity, both of individual users and of journalistic sources. However, there are also a number of states that prohibit or interfere with anonymity online. In Brazil, for example, anonymity is prohibited by article 5 of the Federal Constitution, which states that “free expression of thought is assured, prohibiting anonymity,” without specifying in which situations this should apply.(20) Although this restriction was designed to prevent individuals from offending and causing damage to the honour and image of third parties, without leaving any trace for identification, it has been generating confusion and is being used to limit the right to privacy and freedom of expression online and offline.(21)
Mandatory SIM card registration is a commonplace example that requires real-name registration for online activity.(22) In this regard, mandatory SIM card registration laws typically require that people provide personal information, including a valid identity document or biometrics, before they can purchase or activate a prepaid SIM card for their mobile device.(23) As noted by Privacy International, “[p]repaid SIM card use and mandatory SIM card registration laws are especially widespread in African countries: these two factors can allow for a more pervasive system of mass surveillance of people who can access pre-paid SIM cards, as well as exclusion from important civic spaces, social networks, and education and health care for people who cannot.”(24) As of February 2019:(25)
- 50 countries in Africa had introduced such laws: Algeria, Angola, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Central African Republic, Chad, Congo, Côte d’Ivoire, Democratic Republic of Congo, Egypt, Equatorial Guinea, Eritrea, Ethiopia, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau, Kenya, Lesotho, Liberia, Libya, Madagascar, Malawi, Mali, Mauritania, Mauritius, Morocco, Mozambique, Niger, Nigeria, Rwanda, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Africa, South Sudan, Sudan, Swaziland, Tanzania, Togo, Tunisia, Uganda, Zambia, and Zimbabwe.
- Two countries had not mandated SIM card registration and were not considering doing so: Cabo Verde and Comoros.
- Namibia was considering SIM card registration.
- The state of SIM card registration in Djibouti was inconclusive.
Mandatory SIM card registration severely undermines the ability to be anonymous online. It has been explained that: “If almost every mobile device has its SIM card registered to a particular person, and the government can get access to that mobile subscriber information, the people who own and use such devices can be more easily tracked and monitored. Not all people with mobile devices may fall equally under the watchful eye of such surveillance systems: people advocating for change, people who disagree with the government’s policies, religious or ethnic minorities, journalists, and human rights defenders are particularly vulnerable.”(26)
Anonymity is especially critical in repressive environments in which certain types of protected expression are outlawed, and lack of anonymity could lead to criminal charges or other consequences.(27) Attempts to ban anonymous speech have particularly been seen during times of protest as a measure aimed at protestors and activists.(28)
Intermediary liability is again of concern in relation to anonymous users, as some states have moved towards imposing responsibilities on internet service providers (ISPs) and media platforms to regulate online comments by anonymous users. For instance, in Delfi v Estonia, the ECtHR upheld an Estonian law that imposes liability on a media platform for anonymous defamatory statements posted on its site.(29) As has previously been argued by MLDI, a court should only order an ISP to disclose user data where:(30)
- An applicant is able to demonstrate to a sufficient degree that a wrongful act has been committed against them, and that the information is sought to enable them to seek redress for that wrongful act;
- The anonymous user has been notified, and has had an opportunity to respond to the application;
- There is no less restrictive means of obtaining the information sought; and
- The applicant’s interest in disclosure has been sufficiently balanced against the rights to freedom of expression and privacy.
Importance of anonymity online
Source: Financial Times, ‘When online anonymity is a good thing’, 10 October 2018, accessible at https://www.ft.com/content/f8813f6e-cb54-11e8-9fe5-24ad351828ab
“Anonymity remains one of the best features of life online. What you say and do becomes more important than who you are. The developer(s) of bitcoin is (are?) still known only by the presumed alias Satoshi Nakamoto. Twitter handles, Reddit usernames and YouTube comments still do not require real names. All have had their own problems with offensive commentary, but it is not clear that anonymity is the real cause. Think of Facebook, which has always gone out of its way to verify identities and where discussions are still not known for their civility.
By contrast, withholding real names may appear the sort of thing a troublemaker would do — but can end up enforcing social pressures more acutely. In 2016, Guanxiong Huang and Kang Li at Michigan State University analysed academic investigations into group communications and found that people seemed more sensitive to social norms when they could not rely on parts of their identity (job title, age, location etc) they would usually reach for during group conversations.
The real difference appears to lie in the way that we talk in person versus how we communicate via a computer. Screens, not anonymity, could be the real disinhibitors.”