UN Report on the Value of Encryption to Freedom Worldwide

The United Nation's Office of the High Commissioner released a report on the value of encryption and anonymity to the world:

Summary: In the present report, submitted in accordance with Human Rights Council resolution 25/2, the Special Rapporteur addresses the use of encryption and anonymity in digital communications. Drawing from research on international and national norms and jurisprudence, and the input of States and civil society, the report concludes that encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.

Here's the bottom line:

60. States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. In addition, States should refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users. Corporate actors should likewise consider their own policies that restrict encryption and anonymity (including through the use of pseudonyms). Court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals.

One news report called this "wishy-washy when it came to government-mandated backdoors to undermine encryption," but I don't see that. Government mandated backdoors, key escrow, and weak encryption are all bad. Corporations should offer their users strong encryption and anonymity. Any systems that still leave corporations with the keys and/or the data -- and there are going to be lots of them -- should only give them up to the government in the face of an individual and lawful court order.

I think the principles are reasonable.

Posted on May 29, 2015 at 7:49 AM • 39 Comments

Comments

uh, MikeMay 29, 2015 8:32 AM

So the corporations are Trent. I prefer that to the Government being Trent. But I think a system that has Trent is as inherently flawed as Trent.

CouldntPossiblyCommentMay 29, 2015 9:17 AM

From the news article: "The UN report, however, did not mention how "court-ordered decryption" could be carried out unless tech companies built backdoors into their encrypted products" - pretty sure it did.

I find the comment in Ars Technica surprisingly uninformed or curiously trying to change the subject. Surely they've heard of the monkey-wrench technique? By definition, someone always has a key to decrypt encryption.

I don't think the UN report was meaning 'if a court in the US decides that data in Iran must be decrypted, they're at liberty to go steal the key and/or backdoor the technology'. They just meant that if you have legal jurisdiction to demand access to encrypted data, you can. It even appends the statement with 'transparent and publicly accessible laws'.

Now, sure, various countries including the US have an annoying habit of assuming they have jurisdiction over everything, and/or writing bad law, but a UN report isn't going to change that.

@Winter: That doesn't stop plenty of US organisations promoting anti-anonymity in lots of subtle ways. Look at Blizzard's Real ID for an example in the online gaming space. You don't have to force lack of anonymity, just link real users to lots of things they feel they can't do without.

JeffMay 29, 2015 10:04 AM

Australia requires SIM card registration, and it's annoying: buy a SIM at the airport, and you must call the telco with name, passport, etc., before the SIM will work. I just visited the UK: buy a SIM and pop it in -- it works immediately,

Joe KMay 29, 2015 11:21 AM

Message for James Comey: UN Human Rights Commission's special rapporteur either "doesn't see what you see or is not fair-minded".

Poor guy. He's depressed, you see.

Nobody sees it his way.

rgaffMay 29, 2015 11:40 AM

That ars technica article doesn't make any sense.... why do they suggest that the UN must be somehow supporting backdoors, when the UN explicitly says:

"States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows."

How much clearer can that be??

Then the UN says:

"Court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals."

Ok.. so the UN is saying court-ordered decryption can only happen when ALL of the following conditions are met:

1. Domestic and international law, that is transparent and publicly accessible.
2. Can only be targeted at an individual (not a mass of people).
3. Must have a warrant, issued from due process.

Nowhere does it say the court must figure out how to technically make sure the decryption always happens. It only says the court may ORDER it! And so that only implies that court can punish someone if they refuse to hand over a key, for example! IT DOES NOT IMPLY ANY BACKDOOR! In fact, it explicitly states that backdoors are unacceptable!

Now I have a different problem with requiring someone to fork over a key or password on pain of punishment, but that's a totally separate issue from backdoors....

albertMay 29, 2015 11:49 AM

Another day, another UN Report...yawn...another report that no one will read (because thinking people pretty much know what it's gonna say), and most countries will pick apart to find things to bitch about.
.
@Winter,
Clearly, officials in the USA (including SCOTUS) don't give a rats ass about the Constitution. It's just convenient prop to trot out when we're out and about Nation-Building* and 'promoting' Democracy and Free Markets.
.
* Making the World safe for Democracy, one war at a time.
.
@Everyone,
Here's an idea: make it illegal for ANYONE to demand access to ANY communication for ANY reason.

Lev BronsteinMay 29, 2015 12:12 PM

@Winter.

Your naivete and innocence is so cute. It is to laugh. The FedGov caring about the constitution.

DudeMay 29, 2015 6:06 PM

I agree totally with everything in your article, Bruce, but I have a question about the title. The blog refers to this article as "UN Report on the Value of Encryption to Freedom Worldwide." I do not understand the full sentence. What does "encryption to freedom" represent?

Suggest: "UN Report on the Value of Freedom of Worldwide Encryption," maybe?

rgaffMay 29, 2015 7:22 PM

@ Dude

Parse it this way:

"UN report on

the value of encryption

to freedom worldwide"

so...

encryption is valuable

and it's valuable because encryption enables freedom

ThothMay 29, 2015 7:30 PM

@Joe K
I wonder if high ranking officials like James Comey and the FBI had a stake or some sort of dealings somewhere in SIGINT products otherwise the very strong push to curb civilian privacy and security besides their usual operations ?

tyrMay 29, 2015 7:59 PM


Since the FBI came up in this:

You might ask uourself how a FIFA election loss by a Saudi
led to the current mess over soccer. I seem to recall a
certain whistleblower girl "the most heavily gag ordered
person in US history", saying that there was a deep set
of collusion going on between the Saudis and the FBI.

Suddenly world soccer is being roughly handled by our
forces of right and good and true. Probably just another
coincidence. The talking heads have their own mad agenda
and don't want the world to escape from it. I also see
that Stuxnet is back in the news in a particularly nasty
and damning fashion. Things get more interesting every day
in the sense of interesting times used in the Chinese curse.

At least someone in the UN gets it, about time too, far too
many are clueless about destroying the basis of law and
civil society in the mad rush to control everything.

JaysonMay 29, 2015 8:48 PM

@albert

@Everyone,
Here's an idea: make it illegal for ANYONE to demand access to ANY communication for ANY reason.

You realize that in the previous sentence you stated that the laws are ignored... ;)

Perhaps we should just encrypt all communication end to end and make demands moot.

DudeMay 29, 2015 8:51 PM

@ rgaff Reading the sentence of the title alone, I find the use of the word "worldwide" confusing. Maybe it's just me but that sentence reads like some sort of steganography to me.

rgaffMay 29, 2015 10:58 PM

@ Dude

That's because freedom is enabled all over the world, not just in your own country or region. What makes encryption valuable is that it spreads freedom all over the world, because the internet is a worldwide thing.

But it seems almost as if western civilization has had enough of freedom, they long for those awesome dark ages and want worldwide dictatorship instead.

65535May 30, 2015 2:58 AM

I find it interesting that these various decisions and disclosures are occurring on the eve of the second vote for re-authorization of Section 215 of a Patriot Act [the vote to be held on a Sunday – a holiday]. It appears the stakes are very high for a number of parties including the NSA.

I say just let Section 215 die and be done with it! Section 215 never caught any terrorists – it just spied on Americans.

I am sure that the ACLU and the EFF are watching closely but Emptywheel is the only blog that has been reporting regularly in understandable terms [unlike the Main Stream Media].

"DOJ’s Inspector General just announced it completed its draft report on the use of Pen Register/Trap and Trace between 2007 and 2009 15 months ago, but the Intelligence Community only finished its classification review last month. It has now issued a classified version of that report to the Judiciary and Intelligence Committees. This is another report that should have been released long before the current debate on the PATRIOT Act… Last week, much of DC discovered for the first time — because of the delayed release of DOJ IG’s report on Section 215 — what I had been reporting for months: that the bulk of Section 215 orders actually collect bulky Internet data. That report also disclosed that, at least as used up until 2009 (that is, as FBI just started using 215 for that Internet collection), Section 215 wasn’t all that useful… the 15-month old PRTT report DOJ’s IG just released would have information that is equally important to this debate." - emptywheel

https://www.emptywheel.net/2015/05/28/doj-ig-issues-yet-another-classified-report-that-should-be-public-before-congress-votes-on-patriot-act/

[more on Stellar Wind and the 90 day renewals]

https://www.emptywheel.net/2015/05/27/behold-br-15-24-the-oldest-phone-dragnet-order-ever/

[Hiding Section 215's machinery in Reagan’s Presidential Order via the Intelligence Community]

https://www.emptywheel.net/2015/05/27/intelligence-committees-still-trying-to-force-agencies-to-follow-reagans-rules/

@ rgaff

“…the UN is saying court-ordered decryption can only happen when ALL of the following conditions are met: 1. Domestic and international law, that is transparent and publicly accessible. 2. Can only be targeted at an individual (not a mass of people). 3. Must have a warrant, issued from due process.”

That is the way I read the UN report.

It is a step forward for privacy advocates. It does mention court-ordered decryption in limited circumstances – but that is the UN’s give and take stance.

[See Summary on page 20 – 21 in bold]
http://cdn.arstechnica.net/wp-content/uploads/2015/05/UNencryption.pdf

@ Winter

Your first link supports your argument – which is good. But, the second link involves a Canadian Supreme Court ruling where the defendant lost his case and his right to privacy. I am not sure how to interpret the overall impact this will make in the USA.

“Today, the Canadian Supreme Court handed down its long-awaited decision in R. v. Spencer… Spencer was convicted by the trial court of possession of child pornography. Spencer appealed his conviction on the grounds that the warrantless disclosure of his personal information was not authorized by law (therefore violating) his Charter right to be protected against unreasonable search and seizure by the state). The prosecutor contended, among other things, that the disclosure was permitted by Shaw’s Internet subscription contract and terms of use agreement, and by section 7(3)(c.1)(ii) of the Personal Information and Protection of Electronic Documents Act (PIPEDA)...

“The Supreme Court decided that the disclosure did violate Spencer’s Charter rights, but that due to the gravity of the offence, exclusion of the images as evidence would bring the justice system into disrepute. Spencer’s appeal was denied and his conviction for possession of child pornography was upheld [by the Canadian Supreme court].” –Sam Trosow

https://samtrosow.wordpress.com/2014/06/14/supreme-court-confirms-importance-of-information-privacy-and-internet-anonymity/

Returning to the Big Picture for Privacy Advocates, I would keep my eye on the Section 215 Vote due on Sunday the Thirty-first and lobby to let Section 215 sunset and die without any further action. It is a travesty that needs to stop now!

rgaffMay 30, 2015 3:42 AM

Sounds like those Canadians don't really have the whole "fruit of the poisonous tree" concept... That could explain how the "Mounties always get their man" :)

JohnMay 30, 2015 9:06 AM

@rgaff

Indeed, I agree with all your points. Although you could have added a fourth point.

4. No where does the UN state that a legal warrant allows for the covert decryption of intercepted data.

And frankly, the only real purpose for any proposed "backdoor" to encryption is to permit the covert decryption of data. If the government really wants to know what the content is, then they can get a warrant and require the person to decrypt it, and if necessary, have legal penalties available to impose if the person refuses to perform the decryption.

rgaffMay 30, 2015 12:05 PM

@ John

Yes, I could have explicitly said that instead of only implying it...

With regards to any backdoor being for covert decryption, yes, and also maybe they're trying to do an end-run around any possible 5th amendment protection preventing someone from being forced to decrypt? Though they just don't strike me as thinking this far ahead, more like bull in a china closet not caring of the consequences ("I want my power dammit!")

name.withheld.for.obvious.reasonsMay 30, 2015 12:47 PM

@ 65535

I find it interesting that these various decisions and disclosures are occurring on the eve of the second vote for re-authorization of Section 215 of a Patriot Act...

There is little doubt that the conspiracy to control the political environment would include the management of "information" and "data" related to illegal government(s) activity. Just before the vote on HR 4681 last year, the text of the bill (summary version) was modified (the official legislative text published on house.gov) changing the controversial language in section 308 by replacing it with the language from section 310 thus rendering the bill harmless. That moment spoke volumes--it received no press whatsoever.

What bothers me about the DoJ report is two fold; first, the general tone of the report is similar to the FISA court report (October 2011) that chastised the NSA for its belligerent attitude (to the level of illegal activity), second is the section of the report that shows the "programs" for business records and reveals (by way of redaction) five other programs. It can be assumed that these business records are the ones enumerated in the FAA and section 702.

whats in the smoke signals?May 30, 2015 1:55 PM

I was waiting for the squid to ask what you all think the security of a service like firefox-sync can be.

watching headers, i see it update known structures with known plain-text component so very often that i think the more it runs, the easier it would be to decrypt it.

doubly so if you were also aware of the https domains visited, tripply so if you had the full long http requests of the user.

knowing that differential cryptanalysis lets you do amazing things, i am wondering just

- how pedestrian the technique is today
- what if anything has leaked about its use
- and if a cloud service using otr encryption for transport and block storage would make more sense than what is offered by mozilla and mega.


Marcos El MaloMay 30, 2015 5:35 PM

@John

Well, presumably the agency interested in the encrypted data could break the encryption on their own (or die trying). If the information is not important enough to put in the effort, then they shouldn't get it at the expense of our civil liberties. Backdoors are just an example of laziness on the part of security agencies.

Clive RobinsonMay 30, 2015 7:31 PM

@ John,

And frankly, the only real purpose for any proposed "backdoor" to encryption is to permit the covert decryption of data.

Yes, unfortunatly they also have an almost unbeatable argument to get it... it's along the lines of the famous "do you still beat your wife" question.

They state they need the backdoor to prevent the injury or loss of life to individuals, then to avoid the statistical reply (why notvspend the money on road safety etc etc) they employ the "think of the children" tactic with "Would you stop us stopping a terrorist / etc from kidnapping and torturing your child or anybodies child?"

At which point you have a choice agree with what they want or be a failure in the public eye...

The only way around it is to spike their guns with a premptive strike in the public eye, but no journalist is going to do that or even allow it because for them it would be career suicide...

Anonymous CowardMay 30, 2015 7:35 PM

Civil Society is a pretty scary thing, though. Mostly, Civil Society Organizations are mouthpieces and arms of the very same states also in the study - funded by them, set up and organized by them and sometimes even directly chartered by them.

I agree with the conclusion. But basically what this means is that the nations writ large see more benefit to disrupting other 'non-civil' nations than they see damage to themselves.

whats in the smoke signals?May 30, 2015 8:27 PM

@AC

>basically what this means is that the nations writ large >see more benefit to disrupting other 'non-civil' nations >than they see damage to themselves

thus my question re differential cryptanalysis bwo firefox-sync. i see an elephant in the room. does anyone else?

65535May 31, 2015 1:55 AM

@ name.withheld.for.obvious.reasons

“What bothers me about the DoJ report is two fold; first, the general tone of the report is similar to the FISA court report (October 2011) that chastised the NSA for its belligerent attitude (to the level of illegal activity), second is the section of the report that shows the "programs" for business records and reveals (by way of redaction) five other programs. It can be assumed that these business records are the ones enumerated in the FAA and section 702.”

That is a good point.

I cannot get a grip on the other programs because of all the redactions – but I am sure that they unethical.

The second re-authorization vote for Section 215 will be held in one day [Sunday the thirty-first]. I suspect the vote will take place out of the media’s sight and too late in the night for the public to react.

Once Section 215 is dead it will be time to chop-off the tentacles of 702 and it’s various programs. Section 215 and 702 effectively create quasi martial law. That has stop!

If the Senators flip their vote and pass the re-authorization of Section 215 it will be a dark day in history.

It will also show how powerful and deeply entrenched the Intelligence Community is in the law making process. Both are bad for the USA and the World.

Clive RobinsonMay 31, 2015 3:29 AM

@ Bruce,

You might want to look at the International Telecommunications Union (ITU) report on their view of the worlds nations cyber state,

http://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf

It's a bit of a lengthy report but you might find it of interest.

@ ALL,

For those not upto speed on the ITU's involvment in the Internet, you might consider reading up on the last major meeting they had and the events that happened. All I can say is that if the meeting were to be re-run post Snowden revelations the outcome would have been very very different and the FiveEyes would be licking wounds that would not as easily heal as putting preasure on a handfull of US elected vacillating money pits.

CzernoMay 31, 2015 5:20 AM

Off-topic : When is a squid not a squid ?

Answer : - When it's a canari !

Seriously, @Bruce, no new squid story ? Fishy, isn't it.

65535May 31, 2015 6:49 AM

It is now Sunday, the day for the big vote on Section 215 and the “USA Freedom Act.” I suspect the Intelligence Community will be fear mongering and doing more arm twisting than in a wrestling match. In short, be prepared for some unexpected outcome!

Here is the EFF take on political maneuvering:

'What Will Happen Sunday?'

"It's unclear. The Obama Administration unsurprisingly left itself wiggle room to continue the calling records program. In the same DOJ memo noting the program's closure, the administration also said that if the House passed a Senate reauthorization on June 1—technically after the provisions expire—the White House would continue the provisions. While there are news reports of further compromise on the House's USA Freedom Act, lead cosponsor Rep. Jerry Nadler has ruled out any further weakening of the bill.

"What we do know is that the Senate calendar says it may hold another vote on the USA Freedom Act in the afternoon. Sen. McConnell is vigorously campaigning to reauthorize Section 215 without any reform. Any vote scheduled in the afternoon of May 31—about 8 hours before the provisions formally expire—will surely be used to fear-monger for a short-term reauthorization. In response, the Senate must stand strong and vote down any short-term reauthorization... Be sure to tune in to @EFFLive for live updates on Sunday." -EFF

https://www.eff.org/deeplinks/2015/05/us-senates-patriot-act-fail

I Say let Section 215 die and be done with it – no extension or short-term re-authorization for any part of it. It’s is mass spying at its worst!

SMDMay 31, 2015 7:04 AM

Expect some "Incident" to conveniently happen so the Fear Mongers can say "See I told you that would happen if we did not renew it".

░▒▓█May 31, 2015 7:55 AM

Takes a foreigner to makes sense of this PATRIOT Act hysteria

Leif Ryge: "can someone explain why people expect the expiration of a law to bring an end to programs which the court ruled that law never authorized?"

It was clandestine before, it will be clandestine again.

Clive RobinsonMay 31, 2015 10:38 AM

@ Slime Mould...,

As usual, you can take this opportunity to razz Bruce for forgetting the Squid Thread (providing nothing really unfortunate has befallen our gracious host).

As Bruce and the Moderator appear to be two seperate people, I suspect that the Moderator would have popped up to say something if something that could be talked about was up with Bruce...

Anything in other news which might be relevant?

That said the last Friday Squid thread is well past 2^8 postings and still rapidly heading south on page length... I wonder which will break first the server or peoples browsers?

82de478ea93bdd87May 31, 2015 11:39 AM

@Slime Mold with Mustard

As usual, you can take this opportunity to razz Bruce for forgetting the Squid Thread (providing nothing really unfortunate has befallen our gracious host).

Bruce has not forget the squid thread -- it had been posted here, this time using steganography.

82de478ea93bdd87May 31, 2015 11:57 AM

@░▒▓█

It was clandestine before, it will be clandestine again.

Very true, these surveillance programs will remain active. It is even worse for people without human rights from the point of view of the U.S. government (e.g., European citizens). For they, privacy has not been even considered a fundamental right.

In case this surveillance program (the one that affects domestic communications) is declared illegal, NSA will have a very simple workaround: asking their friends at FVEY to spy into american lives and pass them all captured data. This way NSA will not spy into americans but will get same information in return.

As I said before I try to be optimistic and say myself that the current surveillance state is highly positive for the world. To me all is OK iff we are allowed to develop, implement and use protections against government/corporations surveillance. In my humble opinion, technological security had advanced more in the last two years than it achieved in the last decade. Even people that some time ago did not care about their own privacy and security are now [slightly more] concerned.

░▒▓█May 31, 2015 3:09 PM

Don't feel bad, US citizens have no rights either. The US government denies their human rights with illegal reservations that undermine the object and purpose of the treaties, and it negates their constitutional rights with secret law. But US government suppression of privacy rights is failing.

NSA has a vague dim-witted feeling of foreboding about privacy rights. You can tell because Rogers is trying to head it off with this "Law of the Sea" for the internet. That's stupid on many levels, even for a deck ape like Rogers. The US government never ratified the UNCLOS, and it wouldn't ratify an internet treaty. What the US does is try to keep customary international law from being codified in conventions like UNCLOS. Meanwhile they flout the legal principles to establish 'customary' state practices with minimal constraints.

The framework for internet lawmaking already exists in the ICCPR treaty body and the OHCHR. Those institutions see the internet as a means to free association, free expression, and information rights for human beings. Rogers cannot comprehend that approach. He sees the internet as territory to fight on. He doesn't give a rat's ass about the humans who use it unless they're targets.

In six weeks the world will meet to see what the USG has to say for itself in regard to its documented public disgrace. USG will be tested and graded like some inner-city pica kid in a charter school. The US is very sensitive to sitting in front of everybody with a dunce cap, and they have to show some remedial work in one of four grave emergency areas:

- Accountability for torture and murder. Yeah right. The day after that happens, Air Force One goes down in flames.

- Gun violence. That would require cops to give up their longstanding contractually-guaranteed perk of lynching black guys for fun. So na ga happen.

- Guantanamo. You can't let those guys out, they'll talk. Then we're back to accountability for torture and murder. So forget it.

- Surveillance. This is the US government's only hope of showing results. NSA is ripping NATO apart and meticulously implicating Obama in indiscriminate murder of protected persons in nonbelligerent states. It's a huge pain in the ass.

So what to do? Public repudiation and humiliation of NSA until it sinks out of view and maybe gets swallowed by CIA. Then CIA can mix up all the sources and methods so you can't tell if the war propaganda is coming from confessions under torture, fabrications, media infiltration, or illegal surveillance. The US avoids straight Fs, CIA maintains impunity and tightens its control over the country. Win/win!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.