Encryption and Anonymity on the Internet
Module 4: Data Privacy and Data Protection
Encryption refers to a mathematical process of converting messages, information or data into a form unreadable by anyone except the intended recipient, and in doing so protecting the confidentiality and integrity of content against third-party access or manipulation.(1) With “public key encryption” — the dominant form of end-to-end security for data in transit — the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses her or his own private key to decrypt them.(2) It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or hard drive.(3)
Anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, as acting or communicating in a way that protects the determination of one’s name or identity or as using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity.(4) Anonymity may be distinguished from pseudo‑anonymity: the former refers to taking no name at all, while the latter refers to taking an assumed name.(5)
Importance of freedom of expression
Encryption and anonymity are necessary tools for the full enjoyment of digital rights and deserve protection by virtue of the critical role that they play in securing the rights to freedom of expression and privacy. As described by the UNSR on FreeEX:(6)
“Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality. Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also a society that does not tolerate unconventional opinions or expression.”
Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where a person fears that their communications may be subject to interference or attack by state or non-state actors. These are therefore specific technologies through which individuals may exercise their rights, and are particularly important for journalists communicating online to be protected from surveillance and to maintain the confidentiality of journalistic sources. Accordingly, under international human rights law, restrictions on encryption and anonymity must meet the three-part test to justify the restriction.
Balancing security with freedom of expression
According to the UNSR on FreeEX, while encryption and anonymity may have the potential to frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public safety justifications to support any restrictions or to identify situations where the restriction has been necessary to achieve a legitimate goal.(7) Outright prohibitions on the individual use of encryption technology disproportionately restrict the right to freedom of expression as they deprive all online users in a particular jurisdiction of the right to carve out a space for opinion and expression, without any particular claim of the use of encryption being for unlawful ends.(8)
Likewise, state regulation of encryption may be tantamount to a ban, for example, through requiring licences for encryption use, setting weak technical standards for encryption, or controlling the import and export of encryption tools.(9)
The use of encryption and anonymity by journalists
In the 2015 case of Federal Prosecutor v Soleyana Shimeles Gebremariam and others (Zone 9 Bloggers) in Ethiopia, in which nine bloggers were charged with planning, preparing, conspiring, and inciting to execute terrorism, it is notable that the prosecutor in the case cited the bloggers’ use of encryption tools to protect the confidentiality of their data as evidence that they were undertaking covert acts against the government. Ultimately, all charges were either dropped or the defendants were acquitted due to a lack of evidence.(10)
Since 2015, awareness and understanding of the use of encryption tools has advanced, and it is, in most cases, no longer seen as an inherent indication of having something to hide. However, journalists continue to face many challenges in using fully secure and protected encryption and anonymity tools in practice, with constant threats from law enforcement agencies seeking ‘back doors’ into such tools.
Regardless, the principle of the confidentiality of journalistic sources is well established in case law, including in Africa. In the 2023 case of Mazetti Management Services. amaBhungane Centre for Investigative Journalism in South Africa the High Court set aside an interim injunction ordering a media organisation to return documents in its possession and confirmed that the confidentiality of sources is a key and important feature of investigative journalism.(11)
An amicus curiae in the case made submissions on the importance of the confidentiality of journalistic sources as set out in international human rights law.
The UNSR on FreeEX has, therefore, called on states to promote strong encryption and anonymity, and noted that decryption orders should only be permissible when they result from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights.(12)
The 2019 ACHPR Declaration of Principles on Freedom of Expression and Access to Information likewise provides that states should not adopt laws or other measures prohibiting or weakening encryption, including backdoors or key escrows unless such measures are justifiable and compatible with international human rights law and standards.(13)
Despite this clear mandate, many countries in sub-Saharan Africa continue to regulate or limit the use of encryption. For example, some require the registration and licensing of encryption service providers or have laws that compel service providers to hand over secret codes to state authorities.(14) According to the Global Partners Digital World Map of Encryption, at least 27 countries in Africa have laws and policies enabling widespread restrictions on the use of encryption tools.(15)
A new form of surveillance: SIM card registration
In virtually all African countries, there is mandatory SIM card registration, during which a horde of identifying data is collected.(16) While the surge in cybercrimes prompted SIM registration, the data requirements for registration are huge yet the data protection practices are poor with no specific data protection laws. Even in countries with data protection laws, implementation is often poor and many laws fall short of established human rights standards. Moreover, the trends in data collection seem to be changing with several countries increasingly pegging service delivery to data which is collected and stored in various databases. Of itself, SIM registration in effect eradicates the ability of mobile phone users to communicate anonymously and facilitates mass surveillance, making tracking and monitoring of all users easier for law enforcement and security agencies.
Another concern relates to the growing preference for African governments to implement data localisation regulations which mandate that personal data be stored within the country. While ostensibly this is to ensure the protection of personal information, it may also enable easier access to data for decryption and surveillance.