Time
    Monday, 9th October, 2023 (23:30 UTC) - Tuesday, 10th October, 2023 (00:30 UTC)
    Room
    WS 4 – Room B-1
    Subtheme

    Human Rights & Freedoms
    Digital Technologies and Rights to Health
    Rights to Access and Information
    Technology in International Human Rights Law

    Organizer 1: Pavel Zoneff, The Tor Project
    Organizer 2: Roger Dingledine, The Tor Project Inc.

    Speaker 1: Roger Dingledine, Private Sector, Western European and Others Group (WEOG)
    Speaker 2: Rand Hammoud, Civil Society, Intergovernmental Organization
    Speaker 3: Sharon Polsky, Private Sector, Western European and Others Group (WEOG)

    Moderator

    Tate Ryan-Mosley, Technical Community, Western European and Others Group (WEOG)

    Online Moderator

    Pavel Zoneff, Private Sector, Western European and Others Group (WEOG)

    Rapporteur

    Roger Dingledine, Private Sector, Western European and Others Group (WEOG)

    Format

    Panel - 60 Min

    Policy Question(s)

    A.) How can policymakers ensure that individuals who use encryption to protect their privacy and security are not subject to discrimination, surveillance, or other forms of harassment or repression? B.) Should encryption be regulated at the national or international level, and how can this be accomplished without hindering technological innovation, impeding the free flow of information, or compromising users? C.) Who stands to gain or lose if we have systems that cannot comply with access desires to encrypted communications from authorities?

    What will participants gain from attending this session? Participants will gain a deeper understanding of how public discourse is shaped to malign the terminology and concept of ‘encryption’ to influence decision makers and legislators to advocate for building in backdoors. IGF 2022 aimed at introducing the voices of human rights actors into policy debates about encryption to provide insight into the necessary protections encryption offers. This session seeks to advance that discussion by bringing together a panel of privacy-preserving technology providers, advocates, and grassroots organizers working on the frontlines defending people's digital and human rights. Based on tactical insights, they will debate the elements that can help shape an ethical, human rights focused international governance framework for the protection of encryption services and technology. Conference attendees will take away arguments to engage in productive discourse around what a responsible governance framework for encryption might look like.

    SDGs

    Description:

    Almost every aspect of our private and public lives relies on the internet. From accessing information via news outlets or social media to health and eGov services to executing money transactions, civic participation requires disclosure of personal information online. Encryption is a powerful tool to safeguard that information and has become a fundamental building block for the internet as we know it today. Yet, by design, this technology is invisible to the naked eye which makes it particularly susceptible to the spread of misinformation and policy challenges when it comes to its day-to-day use cases. Under the guise of protecting vulnerable populations, government bodies worldwide are pushing for backdoors and restrictions on encryption technologies. But the negative impact of tampering with encryption and allowing government or other public sector actors to peek behind the curtain is often overlooked. The panelists will evaluate common threats to encryption – from spyware to legislative and political calls for (more) backdoors – and foreshadow what a future without encryption would look like as people’s online data is increasingly used to restrict their rights, access to information, civic participation, and healthcare. Outside of empowering human rights defenders, journalists and people experiencing restricted internet access, encryption will play an increasingly important role in safeguarding basic human rights against the backdrop of managing global health crises, disaster response, and emerging currencies. This session will address the role of public and private entities in protecting privacy-preserving technologies and debate related policy questions. How interconnected should centralized government (and intergovernmental) systems be? Can there be global consensus on what constitutes 'reasonable' limitation on encryption? What happens when a government changes, and with it the public policy? Should politicians, lawmakers, and members of the judiciary be required to be well-versed in privacy, encryption, and their impact on human rights?

    Expected Outcomes

    The workshop aims to discuss and answer the above policy questions to uncover potential elements for a human-rights forward governance framework for encryption, and raise awareness of the importance of encryption for privacy and security protections online. The panelists will demonstrate how the protection of digital rights is inextricably linked to upholding human rights by presenting tangible, everyday beneficial use cases to combat misinformation, and that help interested audiences engage in a more productive discourse. Conference attendees will take away arguments and use cases to engage in productive discourse around what a responsible governance framework for encryption might look like.

    Hybrid Format: The session will include both an online and on-site moderator as well as online- and in-person panelists. The moderators will work together closely to ensure that questions and comments from both online and in-person participants are addressed in equal measure, displayed and highlighted during the session. Since this session is designed to explore common misconceptions about the topic of encryption, and to account for differences in the level of knowledge about the subject matter, we will integrate interactive elements to make the discussion more lively and engage the audience via chat and polls using free, open-source online platforms to gauge a deeper understanding of the audience sentiment and where additional context and explanations might be needed to facilitate an inclusive and productive Q&A session. We will closely follow the guidance and potential additional input from the IGF Secretariat and its working group on hybrid meetings.

    Key Takeaways (* deadline at the end of the session day)

    The technology landscape does not adhere to geographic boundaries. If you break encryption for one, you break encryption for all, undermining national security and potentially harming the groups you seek to protect.

    To avoid negative policy outcomes, laws governing the use of encryption cannot supersede or overrule established international standards such as the right to privacy, freedom of expression, due process and access to information. Policy frameworks need to outlaw the use of spyware.

    Call to Action (* deadline at the end of the session day)

    Policymakers need to drastically improve their understanding of internet technologies, the infrastructure underpinning them, their built-in protective mechanisms, and the internet's business model to draft safer regulatory frameworks and make more informed policy decisions. To that end, policymakers should consider proposing laws that enshrine fundamental tech education and compel tech organizations to be more transparent about their practices.

    Internet users and the 'average' consumer need to take power over their online data, demand the mainstreaming of encryption within their daily tools to make a case for why online privacy is vital to their digital practices. Whether it is to adhere to professional standards, such as client-attorney privilege, safeguarding patient data, maintaining a competitive advantage etc. the use cases are endless and everybody has "something to hide."

    Session Report (* deadline 9 January) - click on the ? symbol for instructions

    This panel brought together professionals from the technology, policy, human rights and advocacy spaces to discuss international standards and policy considerations for human-rights-forward governance of encryption. The debate reflected on policymakers' need to balance the demands of national security with the protection of individual privacy and international human rights laws. The panelists discussed a number of measures that could help shape a comprehensive regulatory framework for encryption. 

     

    1. International Framework for Encryption:
    • Encourage international collaboration and adherence to human rights principles in addressing encryption and surveillance challenges. Countries should be accountable for adhering to international standards and guidelines.
    • Promote the global adoption of encryption best practices across nations. Provide technical assistance and capacity-building programs to countries and stakeholders that may lack the expertise to make informed decisions about encryption policies. This includes sharing knowledge about cybersecurity, encryption technology, potential risks, and global norms for safeguarding digital communications.
    • Involve stakeholders such as civil society organizations, technology companies, human rights advocates, and privacy experts in the development of international encryption standards. Ensure that diverse perspectives are considered.

     

    1. Education and Public Awareness:
    • Emphasize digital literacy from an early age, ensuring access to education that includes understanding the implications of surveillance, risks, and individual rights.
    • Promote awareness of the importance of encryption in protecting privacy and security.

     

    1. Normalize Encryption:
    • Normalize strong encryption as a global standard, much like HTTPS, for all online communications. 
    • Encourage all users and regulators to expect encryption by default for secure messaging and data protection.

     

    1. Reject Mass Weakening of Encryption:
    • Reject proposals for mass weakening of encryption that infringe on individual privacy. 
    • Consider the potential consequences of weakening encryption, for example, examine instances where lawful intercept ports have been misused previously.

     

    1. Protect User Privacy and Security:
    • Uphold strong customer and user protections to protect user data against unauthorized access.
    • Advocate for the adoption of distributed approaches and end-to-end encryption to return power to the hands of users, granting them control over their data, communications, and online activities.

     

    1. Strengthen Legal Protections Against Surveillance:
    • Strengthen legal protections against surveillance, with an emphasis on the invasive nature of surveillance technologies.
    • Enshrine in international frameworks what surveillance and encryption mean, inspired by robust international standards that ensure fair trials, freedom of expression, and limits on invasive surveillance.

     

    1. Differentiate Encryption from Content Moderation:
    • Distinguish between encryption as a safeguard for user privacy and content moderation as a separate issue.
    • Emphasize that encryption is not the problem, but rather a means of protecting personal data.

     

    1. Recognize the Limits of AI in Content Moderation:
    • Acknowledge the limitations of artificial intelligence (AI) in making perfect content moderation decisions. Highlight the potential for false positives in AI-based moderation systems, which can have severe consequences for individuals.
    • Address concerns about child sexual abuse material proliferating on private messaging apps by implementing effective content moderation measures such as safe and responsive reporting channels for users that do not compromise encryption.

     

    1. Ban Spyware Vendors and Technologies:
    • Implement a ban on spyware vendors and technologies that have been used to enable human rights abuses.
    • Address the proliferation of spyware by regulating and restricting its use.

     

    1. Regulate Vulnerability Exploits:
    • Regulate the sale and use of software vulnerability exploits, treating them as equivalent to 'small arms dealing' in the digital realm.