Back to main site

    Protecting One’s Identity

    Module 6: Online Harassment and Anonymity

    Anonymity, access to VPN services, use of encryption

    Encryption and anonymity are vital to the protection of freedom of expression and the right to privacy online.(1)

    Anonymity can be defined either as acting or communicating without using or presenting one’s name and identity or as acting or communicating in a way that protects the determination of one’s name or identity or using an invented or assumed name that may not necessarily be associated with one’s legal or customary identity.(2)

    Anonymity may be distinguished from pseudo-anonymity: the former refers to taking no name at all, whilst the latter refers to taking an assumed name.(3)

    As recognised by different international bodies,(4) anonymity is crucial for the exercise of the right to freedom of expression online. The willingness of individuals to engage in public debates online, in particular those on controversial subjects, is closely linked to the possibility of doing so anonymously. In addition, the disclosure of journalistic sources and other protected materials can have negative consequences for freedom of expression. While the ECtHR found that the ECHR does not contain an absolute right to remain anonymous online, it acknowledged that anonymity is a tool of “avoiding reprisals and unwanted attention [and] is capable of promoting the free flow of opinions, ideas and information”.(5)

    Encryption refers to “a mathematical ‘process of converting messages, information or data into a form unreadable by anyone except the intended recipient’” and, in doing so, “protects the confidentiality and integrity of the content against third-party access or manipulation.”(6) With so-called “public key encryption” – the dominant form of end-to-end security for data in transit – the sender uses the recipient’s public key to encrypt the message and its attachments, and the recipient uses their own private key to decrypt them.(7) It is also possible to encrypt data at rest that is stored on one’s device, such as a laptop or a hard drive.(8)

    International Context

    Anonymity and encryption are intrinsically linked to the concepts of privacy and data protection, as they are tools that can be used to protect and advance these rights. In particular, encryption and anonymity have become important ways for political actors, activists, journalists and dissidents to protect their privacy and freedom of expression against specific surveillance tools that access data in transfer. As described by the United Nations Special Rapporteur (UNSR) on freedom of expression:(9)

    “Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief. For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments. Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities. Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment. The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.”

    Encryption and anonymity are essential for the development and sharing of opinions online, particularly in circumstances where persons may be concerned that their communications may be subject to interference or attack by state or non-state actors. They enable individuals to express controversial ideas without fear of reprisal and are of particular importance for whistle-blowers, dissidents and in environments where freedom of expression is heavily censored.(10) Encryption and anonymity are therefore specific technologies through which individuals may exercise their rights. The role of encryption as an “enabler of privacy and human rights” has been widely recognised by international bodies and human rights experts.(11) Accordingly, restrictions on encryption and anonymity must meet the three-part test in order to be justifiable.

    With concern, the Office of the UN High Commissioner for Human Rights (OHCHR) notes that in recent years, governments have increasingly taken steps to undermine the security and confidentiality of encrypted communications, stressing its importance for people to safely holding, expressing, and exchanging opinions.(12) In particular, the OHCHR highlights that the essential role of encryption for journalists, human rights defenders, women and civilians in armed conflict.(13)

    According to the UNSR on freedom of expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public safety justification to support the restriction or to identify situations where the restriction has been necessary to achieve a legitimate goal.(14) Outright prohibitions on the individual use of encryption technology disproportionally restrict the right to freedom of expression as it deprives all online users in a particular jurisdiction of the right to carve out a space for opinions and expression, without any particular claim of the use of encryption being for unlawful ends.(15) Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences for encryption use, setting weak technical standards for encryption or controlling the import and export of encryption tools.(16)

    The UNSR on freedom of expression has called on states to promote strong encryption and anonymity and noted that decryption orders should only be permissible when they result from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a mass of people), and subject to a judicial warrant and the protection of due process rights of individuals.(17) Likewise, the OHCHR has echoed these calls by recommending that States avoid all direct, or indirect, general and indiscriminate restrictions on the use of encryption, target individuals only when authorised by an independent juridical body on a case-by-case basis, and only when strictly necessary for the investigation or prevention of serious crimes.(18)

    Regional Context: European Union

    Various EU institutions have stressed the importance of encrypted communications. For instance, in 2020 the Council of the European Union drafted a resolution on encryption noting that:

    “The European Union fully supports the development, implementation and use of strong encryption. The European Union underlines the need to ensure full respect for fundamental and human rights and the rule of law in all actions relating to this resolution, online as well as offline. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline protecting our societies and citizens.”(19)

    Similarly, the European Communications Code, Directive 2018/1972 of the EU, also recognises the need for encryption as a security measure and provides that:

    “Member States shall ensure that providers of public electronic communications networks or of publicly available electronic communications services take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services. Having regard to the state of the art, those measures shall ensure a level of security appropriate to the risk presented. In particular, measures, including encryption where appropriate, shall be taken to prevent and minimise the impact of security incidents on users and on other networks and services.”(20)

    At the same time, anonymity online and encryption have sparked debates between lawmakers, state agencies and civil society actors in recent years. The use of encrypted communications has in particular raised concerns with law enforcement authorities regarding the identification of terrorists and perpetrators of cybercrime, citing the “dilemma of privacy versus security online.”(21) Against the backdrop of several terror attacks in Europe in the mid-2010s, some – including several lawmakers – begun perceiving encryption as an obstacle to law enforcement and have engaged in efforts to weaken it.(22)

    In 2020, the European Commission’s draft paper on “Technical solutions to detect child sexual abuse in end-to-end encrypted communications” was leaked. The document details different options to detect illegal content in end-to-end encrypted communications,(23) which were heavily criticised by experts for their numerous security and privacy risks(24).

    On 11 May 2022, the European Commission then release a proposal for a law to “Prevent and Combat Child Sexual Abuse” (CSA Regulation), which would impose an obligation on hosting, interpersonal communication and other service providers to detect, report, remove and block CSA material. This obligation extends to unknown CSA material in end-to-end encrypted, interpersonal communications, while the proposal did not include the possibility for providers to refuse the execution of a detection order based on its technical impossibility. (25) This proposal received widespread criticism, including by tech experts and civil society organisations. The European Data Protection Supervisor and the Chair of the European Data Protection Board released a joint opinion, highlighting how encryption technologies “contribute in a fundamental way to the respect for private life and confidentiality of communications, freedom of expression as well as to innovation an growth in the digital economy”.(26) With regards to the Commission’s proposal, they raised “serious data protection and privacy concerns” and called for an amended proposal that meets the requirements of necessity and proportionality and does “not result in the weakening or degrading of encryption on a general level.”(27)

    On 14 November 2023, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs adopted its position, adding protection for end-to-end-encrypted communication(28) by excluding it from the scope of detection orders(29). Eyes have now turned to High-Level Expert Group on access to data for effective law enforcement, co-chaired by the Commission and the Presidency of the Council of the EU,(30) for which encryption and anonymisation have been, inter alia, identified as the most pressing issues(31).

    Regional Context: Council of Europe

    The Council of Europe’s Commissioner for Human Rights has stressed that encryption is “indispensable for the effective protection of the right to privacy, freedom of expression, and many other human rights” as well as the confidentiality for journalistic sources and the physical security of individuals such as human rights defenders, their families, networks, beneficiaries and colleagues.(32)

    On 13 February 2024, the ECtHR issued a judgment in Podchasov v Russia, a case which concerned a fine imposed on the messenger Telegram after it had refused an order by Russian authorities to disclose technical information to disclose the end-to-end encrypted communications of several individuals suspected terrorism-related activities. The Court also highlighted the importance of encryption technology to protect the right to private life and freedom of expression and as a defence “against abuses of information technologies, such as hacking, identity and personal data theft, fraud, and the improper disclosure of confidential information.”(33) The Court then goes on to explain that to enable the decryption, it would be necessary to weaken encryption for all users by creating backdoors, making it technically possible to perform general and indiscriminate surveillance of all users’ communications.(34) It concludes that the:

    “obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken encryption mechanisms for all users; it is accordingly not proportionate to the legitimate aims pursued.”(35)

    Footnotes

    1. Article19, Right to Online Anonymity (June 2015), p. 1, (accessible at https://www.article19.org/data/files/medialibrary/38006/Anonymity_and_encryption_report_A5_final-web.pdf). Back
    2. Electronic Frontier Foundation, Anonymity and encryption (2015) at p. 3 (accessible at https://www.ohchr.org/Documents/Issues/Opinion/Communications/EFF.pdf). Back
    3. Ibid. Back
    4. See Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye (22 May 2015), A/HRC/29/32, para 60, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G15/095/85/PDF/G1509585.pdf?OpenElement/); Committee of Ministers of the Council of Europe, Declaration on freedom of communication on the Internet (28 May 2003), (accessible at https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016805dfbd5). Back
    5. ECtHR, Standard Verlagsgesellschaft MBH v. Austria (No. 3), App No. 39378/15, §76, 7 December 2021; see also ECtHR [GC], Delfi AS v, Estonia, App No. 64569/09, §147, 16 June 2015. Back
    6. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32 (2015) at para 7 (accessible at http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). For further discussion and resources, see UCI Law International Justice Clinic, ‘Selected references: Unofficial companion report to Report of the Special Rapporteur (A/HRC/29/32) on encryption, anonymity and freedom of expression’ (accessible at http://www.ohchr.org/Documents/Issues/Opinion/Communications/States/Selected_References_SR_Report.pdf). Back
    7. Ibid. Back
    8. Ibid. Back
    9. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32 (2015) at para 12 (accessible at http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). Back
    10. Article19, Right to Online Anonymity (June 2015), p. 1, (accessible at https://www.article19.org/data/files/medialibrary/38006/Anonymity_and_encryption_report_A5_final-web.pdf). Back
    11. Human Rights Council, ‘The right to privacy in the digital age: Report of the Office of the United Nations High Commissioner for Human Rights’ (2022) A/HRC/51/17 (accessible at https://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/HRC/51/17&Lang=E) at paras 20 and 22, UN High Commissioner for Human Rights, Apple-FBI case could have serious global ramifications for human rights (3 March 2016), (accessible at https://www.ohchr.org/en/press-releases/2016/03/apple-fbi-case-could-have-serious-global-ramifications-human-rights-zeid); see also: UN General Assembly, Resolution 75/176: The right to privacy in the digital age (16 December 2020), A/RES/75/176; Human Rights Council, Resolution 39/6: The safety of journalists 27 September 2018), A/HRC/RES/39/6; Human Rights Council, Resolution 45/18: The safety of journalists (12 October 2020), A/HRC/RES/45/18; Human Rights Council, Resolution 48/4: The right to privacy in the digital age (13 October 2021), A/HRC/RES/48/4 Back
    12. Human Rights Council, ‘The right to privacy in the digital age: Report of the Office of the United Nations High Commissioner for Human Rights’ (2022) A/HRC/51/17 (accessible at https://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/HRC/51/17&Lang=E) at para 21. Back
    13. Ibid. Back
    14. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32 (2015) at para 36 (accessible at http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). Back
    15. Ibid para 40. Back
    16. Ibid para 41. Back
    17. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32 (2015) at paras 59-60 (accessible at http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). Back
    18. Human Rights Council, ‘The right to privacy in the digital age: Report of the Office of the United Nations High Commissioner for Human Rights’ (2022) A/HRC/51/17 (accessible at https://daccess-ods.un.org/access.nsf/Get?OpenAgent&DS=A/HRC/51/17&Lang=E) at pp.16-17. Back
    19. Council of the European Union, ‘Council Resolution on Encryption: Security through encryption and security despite encryption’ (2020) 13084/1/20 REV 1 (accessible at https://data.consilium.europa.eu/doc/document/ST-13084-2020-REV-1/en/pdf) at p. 2. Back
    20. Article 40 of the European Electronic Communications Code. Back
    21. Europol, ‘Director’s Speech at the conference: Privacy in the Digital Age of Encryption and Anonymity Online’ (19 May 2016) (accessible at https://www.europol.europa.eu/media-press/newsroom/news/director’s-speech-conference-privacy-in-digital-age-of-encryption-and-anonymity-online). Back
    22. Cited in Maria Koomen, ‘The Encryption Debate in the European Union: 2021 Update’ (2021) at pp. 1-2 (accessible at https://carnegieendowment.org/files/202104-EU_Country_Brief.pdf). Back
    23. See Technical Solutions to Detect Child Sexual Abuse in End-to-End Encrypted Communications (accessible at https://www.politico.eu/wp-content/uploads/2020/09/SKM_C45820090717470-1_new.pdf). Back
    24. Global Encryption, Breaking encryption myths: What the European Commission’s leaked report got wrong about online security (November 2020), (accessible at https://www.globalencryption.org/wp-content/uploads/2020/11/2020-Breaking-Encryption-Myths.pdf). Back
    25. EDPB-EDPs, Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (28 July 2022), p. 6, (accessible at https://www.edps.europa.eu/system/files/2022-07/22-07-28_edpb-edps-joint-opinion-csam_en.pdf). Back
    26. Ibid. p. 6. Back
    27. EDPB-EDPs, Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse (28 July 2022), p. 36, (accessible at https://www.edps.europa.eu/system/files/2022-07/22-07-28_edpb-edps-joint-opinion-csam_en.pdf). Back
    28. European Parliament, Child sexual abuse online: effective measures, no mass surveillance (14 November 2023), (accessible at https://www.europarl.europa.eu/news/en/press-room/20231110IPR10118/child-sexual-abuse-online-effective-measures-no-mass-surveillance); see also Andy Yen, EU Parliament made the correct decision on Chat Control today (14 November 2023), (accessible at https://proton.me/blog/eu-parliament-chat-control). Back
    29. European Parliament, Child sexual abuse online: effective measures, no mass surveillance (14 November 2023), (accessible at https://www.europarl.europa.eu/news/en/press-room/20231110IPR10118/child-sexual-abuse-online-effective-measures-no-mass-surveillance). Back
    30. European Commission, High-Level Group (HLG) on access to data for effective law enforcement (21 March 2024), (accessible at https://home-affairs.ec.europa.eu/networks/high-level-group-hlg-access-data-effective-law-enforcement_en); Statewatch, “Going dark”: will the next assault on privacy take place behind closed doors? (19 April 2023), (accessible at https://www.statewatch.org/news/2023/april/going-dark-will-the-next-assault-on-privacy-take-place-behind-closed-doors/); Article19, EU: Open letter on security-cloaked threats to encryption (11 January 2024), (accessible at https://www.article19.org/resources/eu-open-letter-on-security-cloaked-threats-to-encryption/). Back
    31. Council of the European Union, Scoping paper for the High-Level Expert Group on access to data for effective law enforcement (13 April 2023), p. 5, (accessible at https://data.consilium.europa.eu/doc/document/ST-8281-2023-INIT/en/pdf). Back
    32. CoE Commissioner for Human Rights, Encryption in the age of surveillance (26 September 2023), (accessible at https://www.coe.int/sr-RS/web/commissioner/view/-/asset_publisher/ugj3i6qSEkhZ/content/id/254726841?_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_ugj3i6qSEkhZ_languageId=en_GB#p_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_ugj3i6qSEkhZ). Back
    33. ECtHR, Podchasov v. Russia, no. 33696/19, §76, 13 February 2024. Back
    34. Ibid. §77. Back
    35. Ibid. §78. Back