Securing privacy: Privacy International on end-to-end encryption
EDRi member Privacy International's (PI) report on end-to-end encryption (E2EE) analyses and defends expanding the use of E2EE to protect our communications. It defines E2EE, delves into its human rights implications, briefly addresses some prominent proposals for government access to E2EE content, and concludes with PI’s recommendations regarding E2EE.
End-to-end encryption (E2EE) contributes significantly to security and privacy. For that reason, PI has long been in favour of the deployment of robust E2EE.
Encryption is a way of securing digital communications using mathematical algorithms that protect the content of a communication while in transmission or storage. It has become essential to our modern digital communications, from personal emails to bank transactions. End-to-end encryption is a form of encryption that is even more private. It ensures that only the “ends” of the communication, usually the person who sent the message and the intended recipient(s), can decrypt and read the message.
As described in more detail in PI’s paper on E2EE, E2EE attempts to recreate, in the digital world, the guarantees of privacy that have traditionally applied in private face-to-face conversations.
As more of people’s lives are lived in the digital realm, communication security tools, such as E2EE, are increasingly important to the protection of human rights, including the right to privacy. E2EE gives us access to safe and private spaces for personal development where we can communicate without interference. It protects us from criminals. It protects us from unnecessary and disproportionate surveillance. This secure space is also essential for those who seek to challenge powerful interests, including journalists, protestors, political opposition and human rights defenders. E2EE thereby facilitates the exercise of human rights beyond privacy, including freedom of expression and opinion. Such a space is necessary for all of us.
But E2EE is not universally applauded. Governments see the expansion of E2EE as a threat to their ability to access our communications. Governments may occasionally have legitimate reasons to seek this access, including for targeted law enforcement investigations. An E2EE communication, however, is not as easy to access as other forms of digital communications. Indeed, allowing governments to obtain the content of the communication while in transit would destroy its end-to-end encrypted nature. For that reason, governments have put forth a variety of proposals for how to access E2EE communications while, purportedly, retaining their security. We briefly address some of the most prominent of these proposals in the paper.
To date, no proposal has successfully preserved E2EE while also providing government authorities the access they seek. Other less intrusive investigative techniques, such as targeted surveillance of communications subject to robust safeguards, remain open to governments, however.
On balance, PI remains strongly in favour of the continued expansion of E2EE to secure our communications. Breaking E2EE puts our privacy, security and freedom at risk.
For these reasons:
- PI supports the expansion of end-to-end encryption and would like to see end-to-end encryption be the default in devices, messaging services, networks and platforms for data in-transit. This not only creates more secure communications but reduces the potential for data exploitation by companies who will no longer have access to the content of the E2EE communications.
- PI encourages the use of end-to-end encryption because it protects the security of our communications and raises the cost of modern, intrusive forms of surveillance like mass surveillance of the content of communications. This helps restore the balance between increasingly powerful forms of technological surveillance and our human rights.
- PI recommends end-to-end encryption be legally available for use by everyone, and especially by human rights defenders, journalists and others at risk around the world. But such use must come with the caution that encryption secures the content of communications but rarely secures the metadata of communications. Some states also place restrictions, including criminal sanctions, on the use of encryption, so prospective users should be aware of their local law.
- PI opposes current proposals by governments, intelligence agencies and law enforcement agencies for access to the content of or the banning of end-to-end encrypted communications. PI opposes the imposition of requirements for mandatory general client-side scanning. Such proposals take away important security protections and are disproportionate, threatening multiple human rights, including privacy and freedom of expression. Breaking encryption for one government breaks it for everyone.
The article was first published by Privacy International here.
Visual credit to Privacy International (CC BY-NC-ND 2.0 UK).
Contribution by: EDRi member Privacy International