United Nations report voices digital rights groups’ concerns over encryption in EU’s new rules

On 16 November 2022, the United Nations Human Rights Office published a report on the right to privacy in the digital age warning against the European Union’s plans to undermine encryption and the threat of mass surveillance in the proposed chat control legislation.

The report focuses on the widespread abuse of intrusive hacking tools, the key role of robust encryption in ensuring the enjoyment of the right to privacy among other rights and the widespread monitoring of public spaces.

When the state is the “security threat”: State hacking

 The first section of the report is dedicated to a number of different strategies used by states (and other actors) to facilitate hacking practices. The Office of the High Commissioner for Human Rights (OHCHR), which authored the report, focuses on some of the latest scandals in Europe, among which is the Pegasus spyware. Currently, under investigation by the European Parliament, the Pegasus spyware infected over 50,000 phones including “89 journalists, 85 human rights defenders, over 600 politicians and government officials as well as cabinet ministers”. This was done by 60 government agencies in 45 countries, according to the Israeli private company NSO Group that created the spyware. In the report, the OHCHR makes it clear that “the hacking of personal communication devices constitutes a serious interference with the right to privacy” and that its use impacted the mental health of human rights defenders and politicians, among others, with some of them subjected to torture or murdered as a result of the use of such spyware.

The report criticises the abuse of vulnerabilities in computer systems as it damages our digital infrastructure (para 13) and also criticises the lack of safeguards in many jurisdictions to prevent unlawful state hacking (paras. 16-17). The problems with state hacking are something already EDRi touched upon in this paper on encryption workarounds. The upcoming updated EDRi report on encryption and state hacking will discuss some of the strict safeguards needed for state hacking to be legitimate.

Secure and private communications: the need to protect encryption 

The UN Report highlights that encryption is a key enabler of privacy and security online and that it is essential for safeguarding rights, including the rights to freedom of opinion and expression, freedom of association and peaceful assembly, security, health and non-discrimination. Encryption is a tool which enables each one of us, and society in general, to share information in digital spaces confidentially, safe from privacy-intrusive eyes. This is relevant for everyone, but especially so for journalists, whistleblowers, and civil rights defenders whose work relies on trusted and secure private communication. Specifically, the OHCHR shows how women, people exploring their gender identity and sexual orientation, and human rights defenders in general benefit from encryption (para.21).

The Report explicitly mentions the “Child Sexual Abuse Regulation” (CSAR/Chat Control) proposal, which lays down rules to prevent and combat child sexual abuse” material online, from the European Commission that puts encryption under threat as it suggests measures which put the vital integrity of secure communications at risk. Particularly, the report mentions it in the context of client-side scanning to detect content such as child sexual abuse material (CSAM) (paras 26-28). EDRi supports the analysis that imposing client-side scanning would create “dire consequences” for the enjoyment of the right to privacy and other rights. As EDRi and 114 other civil society organisations pointed out in this public letter, the UN Report voices that this type of indiscriminate surveillance is likely to have a chilling effect on fundamental rights such as media freedom, freedom of expression and freedom of assembly and association.

Reclaim Your Face: End biometric mass surveillance

Finally, the report (paras.30-34) raises concerns regarding mass surveillance in public places, an issue widely discussed and popularised through the successful EDRi-led ReclaimYourFace coalition. These concerns will undoubtedly impact the ongoing negotiations on the Artificial Intelligence Act (AI Act) where we have the opportunity to ban biometric mass surveillance and strictly limit other AI-based harmful technologies. Some of the technologies that the UN report finds concerning are the online monitoring of social media or practices such as predictive policing (35-37). On the latter, the report recognises what EDRi has been long talking about that mass surveillance has a huge impact on marginalised communities because of the use of AI, including facial recognition and predictive policing.

How to fix it?

The report reminds us that when interfering with human rights policy-makers need to ensure that the principles of necessity and proportionality are respected. Current public surveillance measures often fail to meet those requirements (para 49 and 51).

EDRi supports the report’s recommendations to states (53-57). The EDRi network will keep advocating and calling on policy-makers in Brussels to ensure these recommendations are taken seriously at the national, EU and international levels. In the short term, this report should influence the ongoing discussions on the CSAR and the AI Act.

Contribution by: