#CriptoAgosto: Encryption is crucial to security, rights, and democracy
Written by
Veridiana Alimonti (See all posts from this author)
9 de September de 2021
In its second edition, #Criptoagosto – organized by Coalizão Direitos na Rede – once again mobilized the networks in August to reinforce the fundamental nature of encryption for ensuring human rights and the security of our information. This year’s campaign highlights encryption as a key element in protecting against the increased and constantly evolving capabilities for surveillance and control of the population through information and communication technologies. Encryption is, therefore, a crucial component in preserving democratic societies. One of its applications is end-to-end encryption, which is based on the principle that communication is only known by its “ends” – authorized and authenticated senders and receivers – also ensuring the integrity (non-modification) of the content sent. However, the protection of privacy and security of communications derived from there are not granted without tensions.
Encryption, privacy, and security
From the failed Clipper Chip of the 1990s, through the Apple vs FBI dispute started at the turn of 2015 to 2016, to even more recent initiatives that sought to force companies to change their systems architecture to introduce mechanisms for exceptional access to encrypted information, we repeatedly hear the discourse that privacy, protected by encryption, is an unacceptable barrier to investigations and to preserving everyone’s safety. In Australia, where a law passed in 2018 setting broad assistance obligations for tech companies, a study has already pointed out the negative economic impacts of the new rules. However, beyond economic impacts, what experts often emphasize in response is that introducing exceptional access mechanisms actually puts everyone’s security at risk under the guise of protecting it.
These mechanisms create security vulnerabilities capable of affecting all users of those technologies subject to legal obligations, either because malicious actors can exploit the exceptional access created, or because the intentional expansion of the surface vulnerable to attacks may result in problems their own developers are not aware of. On the other hand, this does not prevent criminal organizations from using other tools beyond the reach or knowledge of the authorities. IRIS research mapped the arguments that usually guide this debate. Considering international human rights standards, such solutions do not meet the requirements for the legitimate limitation of such rights, violating necessity and proportionality requirements, also taking into account alternative forms of investigation.
Nevertheless, the reform of the Criminal Procedure Code currently under discussion in the National Congress may serve precisely to create this type of obligation, mobilizing opposing reactions from civil society at the national and international levels.
Encryption, rights, and democracy
The security and privacy that encryption advances are instrumental to safeguard a series of other rights in individual and collective dimensions. It provides a secure means to access information and develop ideas in the face of persecution linked to sexuality, religion, nationality, ethnicity, among others. It provides reliable means for people to expose abuses of political and economic powers, for journalists and their sources, for groups and communities to resist intimidation, interact, and get organized safely. All of these are key building blocks in a democracy.
Nevertheless, concerns about the dissemination of disinformation, especially in applications such as WhatsApp (whose messages are end-to-end encrypted), have been unfolding into problematic proposals and premises. First, the premise that opposes interpersonal and mass communication without due consideration that they are established in a fluid relationship through group communication. This premise ends up supporting dangerous assertions that group communications should not have privacy and security protections, which would be reserved for interpersonal communication (as we can see among interviewees of the Incodes project).
Recent research from InternetLab and Rede de Conhecimento Social indicates that family, friend, and work groups play a predominant role in accessing political content on messaging apps. Don’t these groups deserve privacy and security protections? Although most of them do not reach a very large number of members, there are companies or civil society organizations that can reach dozens or even a hundred people.
Here a fundamental question arises – the relevance of such protections to the legitimate exercise of the rights of assembly and association. Marginalized communities, activists, human rights defenders, and social movements are attacked and harassed, often by local powers, with abusive actions of authorities on the ground. Thus, there must be collective channels with robust privacy and security protections through which these communities can communicate. If the number of people increases the possibility of leaks regarding content, this should not mean assuming that spaces of collective interaction are not spaces of trust.
Second, the proposal of traceability of messages forwarded to groups or similar mechanisms, stipulated in the version of PL 2630/2020 approved in the Senate (art. 10) and currently under discussion in the Chamber of Deputies. This proposal seeks to reverse privacy by design guarantees and minimization of data processing integrated with technology to create a new obligation of prior and massive retention of user data. The proposal has several problems. To name a few: identifying the origin of the first forwarded message does not mean getting to know the author of the content, regarding the various routes a content can take through different platforms and the different ways to reproduce the same message on a single platform, in addition to issues in the authentication of the information about such origin. This can lead to incorrect assumptions about authorship, reversing the burden of proof. Moreover, webs of relationships of people in general are mapped and stored by associating user data with specific contents.
Tackling coordinated structures of rights-violating disinformation can and should be compatible with the fundamentals that underscore the relevance of end-to-end encryption for individuals and groups. Traceability of encrypted messages does not meet this premise, as emphasized by UN and Inter-American Commission on Human Rights rapporteurs.
Preserving encryption to protect rights
August is ending, but the controversies continue, as does the importance of highlighting and defending the fundamental relationship between encryption, rights, and democracy. On the trail of #CryptoAgosto2021, you can learn more and get involved.
The views and opinions expressed in this blogpost are those of the author.
Illustration by Freepik Stories.
Written by
Veridiana Alimonti (See all posts from this author)
Analista sênior de políticas para a América Latina da Electronic Frontier Foundation (EFF) e doutoranda em Direitos Humanos pela Faculdade de Direito da USP. Participou de atividades da #CriptoAgosto organizadas pela Coalizão Direitos na Rede.