“The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.” – The Right to Privacy, Warren and Brandeis, 1890
The UN Human Rights Council Special Rapporteur on freedom of opinion and expression, David Kaye, has released a report declaring use of encryption and anonymization to be a Human Right. This development comes amid increasing movement by governments worldwide to restrict the use of these technologies.
Before addressing the content of the report it may prove instructive to delve into the foundations of privacy law in the West. One of the outstanding texts from the development period of privacy law is Warren and Brandeis’ “The Right to Privacy“, published in 1890. That essay concentrates primarily on establishing the idea of a right to privacy by examining common law in the US and the United Kingdom, and while it has little to say on the issue of government regulation of encryption per se, there is clear precedent for protection of a person’s papers and effects under the fourth amendment. The essay also establishes privacy as a right “to be let alone”. Warren and Brandeis focus specifically on the injury that may be caused by publication of material without the consent of those involved. One can see the Apple ICloud celebrity leak as a modern example of this type of damage.
So the picture that emerges here are two very different classes of privacy encroachment. The first is the publication of private details, be they of celebrities or not. This issue has dramatically changed in the age of self publishing, where there are essentially no barriers to entry for publishing, especially online. Many of the celebrity leaks have proven impossible to “un-publish” from the internet, and there is effectively no legal remedy for those who have been harmed. The second encroachment relates to the role of government, a debate which has reached a fever pitch due to disclosure of numerous secret programs and secret laws by whistleblowers such as Edward Snowden.
The report by the Human Rights Council lays out other international foundations for privacy law, among them Article 12 of the Universal Declaration on Human Rights, which demands: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Further along, Article 19 states that “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”
So here are two moral justifications for privacy of individuals, that they are entitled to be “Let Alone” and that they have a right to free expression and opinion without interference. In practice, of course, limitations on these rights have been made in the public interest. A mafia kingpin may have his phone tapped or his mail opened by appropriate authorities under a legal framework, and this encroachment is seen generally as positive for the community, in that it serves the needs of justice. However, a program that taps all the phones in a country without any due process for individuals would violate the rights of opinion and security in property (including intangible goods). The balance here is difficult to strike, but considering that the effort here has been underway for quite a long time, it is entirely possible to reach a balance of the concerns of justice and of civil liberty, and most societies, through the use of warrants and court processes, have reached such a balance.
However, as it is apt to do, technology often throws a wrench in our attempts to balance competing concerns. This is the story of encryption. Encryption is hardly a new technology. Taking it from the greek roots, cryptography is the study of secret (crypto-) writing (-graphy). The classical Greeks themselves employed it within their military and government systems to ensure security. However, in the modern era the ubiquitous accessibility and necessity of secure communication (especially with the rise of the internet) has changed the landscape dramatically. The situation then arises where, even if it is in the public interest and under agreed upon legal frameworks to do so, enforcement bodies may never be able to decipher communications of their targets, legitimate or otherwise. “Strong” encryption is the backbone of much of the system of global commerce and communications that allows the internet to function economically.
The proponents of weakening encryption to make messages available to law enforcement often trot out a menagerie of bugbears, among them terrorists, financial criminals and child pornographers, all of whom are able to use encryption and anonymization technologies to evade the law and continue their activities against the public interest. In recent speeches James Comey, the director of the FBI, has lamented “Going Dark“, or the loss of surveillance capabilities against these targets leading to increased risk to the public. However, these government groups still recognize the importance of encryption in maintaining the “Right to be Let Alone” in the face of unauthorized actors; be they hackers, foreign governments, or what-have-you. In an attempt to balance these concerns governments have proposed a number of methods to preserve individual security while at the same time allowing the government unfettered access to communications. These include key escrow, where a copy or portions thereof of every user’s cryptographic key is held in a government repository, limiting the strength of cryptography to what can be easily broken by a government’s computing power but not the computing power of an ordinary ne’er-do-well, and cryptographic backdoors which due to eccentricities of cryptosystems will allow individuals with secret knowledge of the system to break the encryption but no one else.
All of these proposals are problematic, mostly on the grounds of efficacy and human rights. Key escrow was proposed in the United States under the “clipper chip” system during the infamous “crypto wars” of the early 1990’s. While the most appealing of the proposed alternatives from an individual security perspective, the idea was seen as too Orwellian to be implemented in a nation that is generally distrustful of government. Even if the access to this key repository was controlled through a process of warrants, the existence of such a repository presents an outsize security risk in the event of a data breach. Also, under the routinely opaque processes of bureaucratic governance there is no surety that even the established protocols for obtaining the crypto keys of individuals would always be followed.
Key shortening and other limitations on the strength of cryptographic technology also presents an outsize threat to the individual, as the processing power of governments, corporations, and hackers has grown. Where before only the NSA had the computing power to break certain algorithms, now that power has been democratized. A miscreant with a botnet or buying time on cloud servers could crack open the communications of one of their targets just as quickly as most foreign governments could. So then key shortening is shown to not be security at all anymore.
Finally, backdoors are the most troubling solution. If a cryptosystem is presented as secure, but in reality has a weakness that allows it to be quickly broken open at limited computational cost by anyone who knows the secret, the personal security of every user of that system is now dependent on the security of that secret. If that secret escapes, then all is compromised. This sort of “Master Key” system is born of a particular type of hubris, that no one else is quite as clever as we are, and that therefore our secret is safe and will remain so. Unfortunately this method has been attempted covertly at least once, and exposed for the massive risk it is.
So in the face of absolutely justified concerns for the public safety with regards to encryption and anonymization, what can be done to balance these concerns with our tradition of human rights and free expression? While law enforcement bodies are justified in their fears of “Going Dark”, as of yet no proposals give appropriate concern to the established “Right to be Let Alone” or the traditions of international human rights. This act of balancing concerns continues, but the Special Rapporteur is absolutely correct in prioritizing fundamental human rights over law enforcement concerns.