Many governments are neglecting or ignoring their duty to protect online encryption that helps ensure freedom of expression and privacy, the UN expert on digital privacy rights said on Monday.
In many states including Russia, China, Iran, Turkey, Pakistan and Britain, citizens cannot count on keeping their online conversations private, according to a report prepared for the UN Human Rights Council by special rapporteur Joseph Cannataci.
There had been a surge in state restrictions on encryption in the past three years, Cannataci wrote in a report submitted to a three-week session of the Council that began on Monday.
“Since 2015, states have intensified their efforts to weaken encryption used in widely available communications products and services,” the report said.
It said pressure has been mounting for companies to install “backdoors” in software to give law enforcement officials access to encrypted messages or secured devices, thereby giving hackers a potential vulnerability to exploit, even though governments already have many other investigative tools they could use.
“A state’s obligations to respect and ensure the rights to freedom of opinion and expression and to privacy include the responsibility to protect encryption,” the report said.
It said other measures that systematically weaken encryption and digital security, such as key escrows and data localisation requirements, also interfere with users’ rights.
Limits to encryption must be necessary, legal, legitimate and proportional, the report said. Blanket bans plainly did not meet those conditions.
But many states had criminalised the use of encryption, the report said, citing Iran’s 2010 ban, Pakistan’s “vague criminal prohibitions” which could be interpreted to crack down on encryption tools, and Turkey’s detention of thousands of citizens for using an encrypted messaging app.
Other countries, including Russia, Vietnam and Malawi, required government approval of encryption tools. Russia and Iran had both banned the Telegram messaging app, after the company refused to give up the encryption keys.
China’s 2016 Cybersecurity Law requires network operators to “provide technical support and assistance” to state and public security for national security and law enforcement, while Uganda and Mexico use malware to monitor government critics, according to the report.
Britain’s 2016 Investigatory Powers Act, known by critics as the “Snoopers’ Charter”, gave the government vaguely formulated powers that could oblige network operators to include backdoors, remove end-to-end encryption and cooperate with a wide range of government hacking measures, the report said.
It recommended that states pass laws spelling out permissible restrictions on encryption and anonymity.