In his first report as UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye fired a shot across the bow of governments trying to force companies to build “back doors” into encryption software. His 21-page report, which will be presented to the UN Human Rights Council tomorrow, concludes that encryption and digital anonymity are essential to protecting the foundational human rights of privacy and freedom of opinion and expression. Accordingly, limitations on them must be narrowly drawn.
Kaye makes an important distinction between the closely related concepts of freedom of opinion and expression, noting that the International Covenant on Civil and Political Rights (ICCPR) deliberately doesn’t allow any restriction of the former. In the digital age, Kaye argues, holding opinions “is not an abstract concept limited to what may be in one’s mind.”
Individuals regularly hold opinions digitally, saving their views and their search and browse histories, for instance, on hard drives, in the cloud, and in e-mail archives, which private and public authorities often retain for lengthy if not indefinite periods. Civil society organizations likewise prepare and store digitally memoranda, papers and publications, all of which involve the creation and holding of opinions.
By emphasizing the difference between the right to hold an opinion and the right to express it, Kaye establishes a personal space to explore ideas and formulate opinions that should not be infringed by governments, even in the name of national security or public order. Encryption and anonymity preserve this space and restrictions on them “may interfere with the ability of individuals to hold opinions.”
I think Kaye is onto something here, but may not have fully captured it. We can hold opinions in our heads without expressing them. Perhaps the same can be said of our browsing history, which reflects our search for information that will allow us to form an opinion and is also protected. On the other hand, opinions captured in at least some documents that we create can be regarded as expression as well. The overlap between what constitutes opinion and what constitutes expression means that more work is needed to parse the distinction.
In evaluating whether restrictions on anonymity and encryption violate freedom of expression, Kaye rightly takes a demanding approach, which stands in contrast to the deferential posture often adopted by national courts in evaluating rights infringements in cases involving national security and public safety.
Although specific standards may vary from right to right, or instrument to instrument, a common thread in the law is that, because the rights to privacy and to freedom of expression are so foundational to human dignity and democratic governance, limitations must be narrowly drawn, established by law and applied strictly and only in exceptional circumstances. In a digital age, protecting such rights demands exceptional vigilance.
Strict rigor is evident in Kaye’s application of the familiar three-part test: any limitation on expression must be provided for by law; may only be imposed for legitimate grounds identified in the ICCPR; and must “conform to the strict tests of necessity and proportionality.” His discussion of legitimate interest and necessity is particularly interesting because this is generally strong ground for governments:
The argument made by various governments that constraints on encryption are necessary to meet law enforcement needs is found not to have been sufficiently demonstrated. Restrictions have generally not been shown to be necessary to meet a particular legitimate interest. This is especially the case given the breadth and depth of other tools, such as traditional policing and intelligence and transnational cooperation, that may already provide substantial information for specific law enforcement or other legitimate purposes.
Of course, many of the alternative tools that Kaye describes (wiretapping, geo-location and tracking, data mining, traditional physical surveillance) could not or would not be used indiscriminately in many countries. For example, in the US wiretapping and, in many jurisdictions, geo-location and tracking, would require a warrant. Physical surveillance is too resource intensive for large-scale use. The one element listed by Kaye that could be broadly available is data mining. But given his mandate’s central concern it’s hard to imagine that Kaye would be comfortable with the widespread use of data mining.
On proportionality as well, Kaye is unconvinced that government-imposed restrictions on citizens’ digital anonymity and use of encryption are proportionate because they “have broad, deleterious effects on the ability of all individuals to exercise freely their rights to privacy and freedom of opinion and expression.” Proposals for providing governments back door access to encrypted devices and software suffer from the same flaw:
[B]ased on existing technology, intentional flaws invariably undermine the security of all users online, since a backdoor, even if intended solely for government access, can be accessed by unauthorized entities, including other States or non-State actors. Given its widespread and indiscriminate impact, back-door access would affect, disproportionately, all online users.
Key escrow systems (which allow users to encrypt but require them to keep private keys with the government or a trusted third party for use in case of need) too have inherent vulnerabilities that “render them a serious threat to the security to exercise the freedom of expression.”
Although much recent debate has been focused on encryption and back doors, Kaye also devotes time to anonymity, explaining its importance:
Encryption protects the content of communications but not identifying factors such as the Internet Protocol (IP) address, known as metadata. Third parties may gather significant information concerning an individual’s identity through metadata analysis if the user does not employ anonymity tools.
Several countries explicitly reject anonymity and others undermine it through measures requiring real name registration for various types of online activity and for mobile telephones. Some countries, including the US, recognize the importance of anonymity for free speech. Kaye notes that some countries have banned the use of anonymity tools such as Tor, which in his view ought to be promoted. (One issue that he doesn’t address is the NSA’s targeting of Tor users, which is surely deleterious to the anonymity.)
Many of the themes articulated in the report resonate for the privacy debate beyond encryption and anonymity. Like the 2014 report of the Special Rapporteur on Counterterrorism and Human Rights, Kaye’s use of a rigorous approach to evaluating necessity and proportionality for measures that broadly affect online activity almost inevitably invalidates many (if not all) NSA-style mass surveillance programs. Notably, neither special rapporteur completely closes the door to such broad measures; rather both insist that governments need to make a public and specific case for why they are necessary. It’s obvious that neither rapporteur believes that such a case has yet been made.