Protecting One’s Identity
Module 6: Online Harassment and Anonymity
Anonymity, access to VPN services, use of encryption
Encryption and anonymity are vital to the protection of freedom of expression and the right to privacy online.(1)
Anonymity can be defined either as acting or communicating without using or presenting one’s name and identity or as acting or communicating in a way that protects the determination of one’s name or identity or using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity.(2)
Anonymity may be distinguished from pseudo-anonymity: the former refers to taking no name at all, whilst the latter refers to taking an assumed name.(3)
As recognised by different international bodies,(4) anonymity is crucial for the exercise of the right to freedom of expression online. The willingness of individuals to engage in public debates online, in particular those on controversial subjects, is closely linked to the possibility of doing so anonymously. In addition, the disclosure of journalistic sources and other protected materials can have negative consequences for freedom of expression. While the ECtHR found that the ECHR does not contain an absolute right to remain anonymous online, it acknowledged that anonymity is a tool of “avoiding reprisals and unwanted attention [and] is capable of promoting the free flow of opinions, ideas and information”.(5)
Encryption refers to “a mathematical ‘process of converting messages, information or data into a form unreadable by anyone except the intended recipient’” and, in doing so, “protects the confidentiality and integrity of the content against third-party access or manipulation.”(6) With so-called “public key encryption” – the dominant form of end-to-end security for data in transit – the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses their own private key to decrypt them.(7) It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or a hard drive.(8)
International Context
Anonymity and encryption are intrinsically linked to the concepts of privacy and data protection, as they are tools that can be used to protect and advance these rights. In particular, encryption and anonymity have become important ways for political actors, activists, journalists and dissidents to protect their privacy and freedom of expression against specific surveillance tools that access data in transfer. As described by the United Nations Special Rapporteur (UNSR) on freedom of expression:(9)
“Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.”
Encryption and anonymity are essential for the development and sharing of opinions online, particularly in circumstances where persons may be concerned that their communications may be subject to interference or attack by state or non-state actors. They enable individuals to express controversial ideas without fear of reprisal and are of particular importance for whistle-blowers, dissidents and in environments where freedom of expression is heavily censored.(10) Encryption and anonymity are therefore specific technologies through which individuals may exercise their rights. The role of encryption as an “enabler of privacy and human rights” has been widely recognised by international bodies and human rights experts.(11) Accordingly, restrictions on encryption and anonymity must meet the three-part test in order to be justifiable.
With concern, the Office of the UN High Commissioner for Human Rights (OHCHR) notes that in recent years, governments have increasingly taken steps to undermine the security and confidentiality of encrypted communications, stressing its importance for people to safely holding, expressing, and exchanging opinions.(12) In particular, the OHCHR highlights that the essential role of encryption for journalists, human rights defenders, women and civilians in armed conflict.(13)
According to the UNSR on freedom of expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public safety justification to support the restriction or to identify situations where the restriction has been necessary to achieve a legitimate goal.(14) Outright prohibitions on the individual use of encryption technology disproportionally restrict the right to freedom of expression as it deprives all online users in a particular jurisdiction of the right to carve out a space for opinions and expression, without any particular claim of the use of encryption being for unlawful ends.(15) Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences for encryption use, setting weak technical standards for encryption or controlling the import and export of encryption tools.(16)
The UNSR on freedom of expression has called on states to promote strong encryption and anonymity and noted that decryption orders should only be permissible when they result from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights of individuals.(17) Likewise, the OHCHR has echoed these calls by recommending that States avoid all direct, or indirect, general and indiscriminate restrictions on the use of encryption, target individuals only when authorised by an independent juridical body on a case-by-case basis, and only when strictly necessary for the investigation or prevention of serious crimes.(18)
Regional Context: European Union
Various EU institutions have stressed the importance of encrypted communications. For instance, in 2020 the Council of the European Union drafted a resolution on encryption noting that:
“The European Union fully supports the development, implementation and use of strong encryption. The European Union underlines the need to ensure full respect for fundamental and human rights and the rule of law in all actions relating to this resolution, online as well as offline. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline protecting our societies and citizens.”(19)
Similarly, the European Communications Code, Directive 2018/1972 of the EU, also recognises the need for encryption as a security measure and provides that:
“Member States shall ensure that providers of public electronic communications networks or of publicly available electronic communications services take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services. Having regard to the state of the art, those measures shall ensure a level of security appropriate to the risk presented. In particular, measures, including encryption where appropriate, shall be taken to prevent and minimise the impact of security incidents on users and on other networks and services.”(20)
At the same time, anonymity online and encryption have sparked debates between lawmakers, state agencies and civil society actors in recent years. The use of encrypted communications has in particular raised concerns with law enforcement authorities regarding the identification of terrorists and perpetrators of cybercrime, citing the “dilemma of privacy versus security online.”(21) Against the backdrop of several terror attacks in Europe in the mid-2010s, some – including several lawmakers – begun perceiving encryption as an obstacle to law enforcement and have engaged in efforts to weaken it.(22)
In 2020, the European Commission’s draft paper on “Technical solutions to detect child sexual abuse in end-to-end encrypted communications” was leaked. The document details different options to detect illegal content in end-to-end encrypted communications,(23) which were heavily criticised by experts for their numerous security and privacy risks(24).
On 11 May 2022, the European Commission then release a proposal for a law to “Prevent and Combat Child Sexual Abuse” (CSA Regulation), which would impose an obligation on hosting, interpersonal communication and other service providers to detect, report, remove and block CSA material. This obligation extends to unknown CSA material in end-to-end encrypted, interpersonal communications, while the proposal did not include the possibility for providers to refuse the execution of a detection order based on its technical impossibility. (25) This proposal received widespread criticism, including by tech experts and civil society organisations. The European Data Protection Supervisor and the Chair of the European Data Protection Board released a joint opinion, highlighting how encryption technologies “contribute in a fundamental way to the respect for private life and confidentiality of communications, freedom of expression as well as to innovation an growth in the digital economy”.(26) With regards to the Commission’s proposal, they raised “serious data protection and privacy concerns” and called for an amended proposal that meets the requirements of necessity and proportionality and does “not result in the weakening or degrading of encryption on a general level.”(27)
On 14 November 2023, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs adopted its position, adding protection for end-to-end-encrypted communication(28) by excluding it from the scope of detection orders(29). Eyes have now turned to High-Level Expert Group on access to data for effective law enforcement, co-chaired by the Commission and the Presidency of the Council of the EU,(30) for which encryption and anonymisation have been, inter alia, identified as the most pressing issues(31).
Regional Context: Council of Europe
The Council of Europe’s Commissioner for Human Rights has stressed that encryption is “indispensable for the effective protection of the right to privacy, freedom of expression, and many other human rights” as well as the confidentiality for journalistic sources and the physical security of individuals such as human rights defenders, their families, networks, beneficiaries and colleagues.(32)
On 13 February 2024, the ECtHR issued a judgment in Podchasov v Russia, a case which concerned a fine imposed on the messenger Telegram after it had refused an order by Russian authorities to disclose technical information to disclose the end-to-end encrypted communications of several individuals suspected terrorism-related activities. The Court also highlighted the importance of encryption technology to protect the right to private life and freedom of expression and as a defence “against abuses of information technologies, such as hacking, identity and personal data theft, fraud, and the improper disclosure of confidential information.”(33) The Court then goes on to explain that to enable the decryption, it would be necessary to weaken encryption for all users by creating backdoors, making it technically possible to perform general and indiscriminate surveillance of all users’ communications.(34) It concludes that the:
“obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken encryption mechanisms for all users; it is accordingly not proportionate to the legitimate aims pursued.”(35)