3.4 Cryptology and Circumvention

The ‘International Survey of Encryption Policy’ published by the Electronic Privacy Information Centre in 1999 began with the following statement: “Most countries in the world today have no controls on the use of cryptography. In the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. This is true for both industrial and developing nations”.

Only 5 years on, we saw drastic changes in the world’s approach to encryption. Click to see a diagram, compiled by Bert-Jaap Koops for his Crypto Law Survey.⁹⁸
The importance of encryption in providing privacy of information and communication was quickly taken on board by many governments. Introduction of public key cryptography and several easy-to- use tools placed this incredibly complex technology within the grasp of all. Its effectiveness in neutralising the capabilities and capacities of government agencies to perform successful surveillance was soon realised. Since then, governments have been scrambling to restrict public use of encryption or to ban it altogether.

The strength of privacy provided by encryption has lead to its classification as a military grade weapon and inclusion into the Wassenaar Arrangement⁹⁹. The United States initially demanded for a world wide key escrow system, i.e. for a copy of all encryption keys to be stored with the government so that they could decrypt messages at their discretion. A project known as the Clipper Initiative would have this key escrow built into encryption software. The project was rejected by the Congress and presently encryption in the US is only limited by export laws, prohibiting its sale or transfer to any of the seven countries labelled as ‘terrorist states’. All cryptographic algorithms must be approved and licensed by the National Security Agency.

This trend has been followed by many countries. At first, governments feared loss of intelligence- gathering powers and restricted the use of cryptography unless they were able to decrypt it. Eventually, privacy advocates won the battle for not limiting the use of cryptography to secure personal information. Unfortunately, some countries continue to ban encryption, either outright or through persecution of its users. China, for instance, approves of the use of encryption products that are developed and licensed in China – presumably, including some form of key recovery. Turkmenistan does not have any laws banning encryption use, yet if surveillance notices that a person’s Internet traffic is encrypted, they will demand to know what is being sent. Another approach, taken by India and the UK, is to allow encryption, yet to force the owner of the keys to submit their passwords or face imprisonment. Iran bans the use of encryption altogether – a hardly realisable ruling if we remember that the Internet has built-in encryption (SSL)¹⁰⁰. Whenever you access an email account (Yahoo, for instance) or carry out any kind of financial activity, your Internet connection to the website becomes encrypted in the Secure Sockets Layer (SSL). Yahoo uses SSL to pass your login name and password secure to its server. You don’t have another option. Hence, under the legislation as strict as Iran’s, Yahoo email accounts as well as many other Internet services and functions should be made illegal. If a country wants to benefit from the Internet economically or culturally, encryption cannot be limited or outlawed.

Circumvention technologies allow the user to bypass website blocks when browsing the Internet and sending email. They strive to restore the human right to seek and exchange information in the countries where, in contradiction to international standards, free Internet browsing and free email exchanges are prohibited. Circumvention tools take advantage of the computers in uncensored countries and route communications through them. In real terms, if your country prohibited you to speak with me but not with a colleague of mine, you would convey the information to me by conversing with my colleague. Internet users in Iran and China, accustomed to the difficulties of the Internet-censoring regimes, became experts in sourcing out new methods of circumventing in-country blocks, but even those are outlawed and heavily punishable in many states.

Human rights defenders must possess the knowledge and the ability to secure their information and to bypass illegal censorship channels. States that have ratified the Convention on the Protection of Human Rights Defenders have an increased obligation to ensure that the legitimate work of HRDs is not restricted or punished. Civil society at large should guarantee that no legislation prohibits the use of these rights-restoring tools and techniques.