Encryption digest (February 2021)

3 Mar 2021

This extract is taken from the February 2021 issue of The digest, GPD’s newsletter. Sign up here.


A new assault on encryption?

This month the EU launched a consultation on its new plan to tackle child sexual abuse material (CSAM).

The text of the consultation outlines that this will include measures to compel online service providers “to detect known child sexual abuse material” and “require them to report that material to public authorities”. But we also know, from an EU Commission leak last year, that measures to restrict encryption—so called “backdoors”—are also potentially on the table. As several expert members of the Global Encryption Coalition have noted, these proposals could have serious implications for digital security and human rights.

This is all concerning, but at least the consultation (which ends on 15 April) provides a structured opportunity for civil society and other stakeholders to provide their perspectives on the proposed approach.

Unfortunately, in India—where a similar set of proposals are about to be announced—no consultation is being promised. The Indian Ministry of Electronics and Information Technology (MeiTy) is imminently expected to propose sweeping amendments to intermediary liability rules that could weaken security and limit the use of strong encryption on the internet. A leaked version of these guidelines reveals plans to require intermediaries (like social media platforms, or internet service providers) to be able to trace the origin of communications, with penalties for non-compliance—creating an obligation on the intermediary to have access to encrypted traffic. In an open letter to the Indian government, a group of nearly 30 security advisors highlighted the risks of such an approach: “by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures.”

An Internet Society report from last year similarly concluded that the use of digital signatures and the use of metadata (which have both been proposed as methods to achieve traceability) would require the breaking of end-to-end encryption.

As we noted in a recent blog on GPD’s newly launched encryption policy hub, these attacks on encryption—as well as the new focus on intermediary liability—is part of a wider set of trends which human rights defenders and others who support the availability of strong encryption need to be aware of. The Global Encryption Coalition will be coordinating members to respond to developments at both the EU and in India: watch out for more here