A. INTRODUCTION
- In the past quarter of a century, Kenya has experienced a rapid increment in the ICT sector and internet connectivity. Globally, there has been an information revolution. The Country has established a data economy which is the wealth and resources created from the collection and processing of data spanning both public and private sectors.
- The data economy is regarded as the cornerstone of the fourth industrial revolution which uses digital technologies to carry out processes. Consequently, this has resulted in widespread data infringement necessitating the use of encryption techniques to safeguard data.
- The advent of electronic communications on mobile and computer networks has created the need to craft a way to warrant that conversations and transactions remain confidential and only privy to the parties involved. This has led to the use of encryption techniques. Though it is a solution to the protection of data, a heated debate has spawned over its legal aspects as discussed herein. For instance, some governments, through their security agencies, want to restrict the use of data encryption for fear of “going dark”.
- This article discusses the use of encryption as an enabler of the right to privacy and the closely intertwined freedom of expression.
B. EVOLUTION OF THE RIGHT TO PRIVACY
-
- The notion of privacy has not matured overnight. In 1890, Samuel Warren and Louis Brandeis published The Right to Privacy”“ in the Harvard Law Review. This publication is regarded as the first modern construction and the birth of the contemporary conception of the right to privacy. They identified the right to privacy as “the right to be let alone”. It is during the 19th Century that modern technology gained traction in the communication and data storage sector.
- The main concerns as depicted in their article were the offensiveness and invasiveness in US journalism in the dusk of the 19th century. The advancement in technology has led to grave concern over privacy. Warren and Brandeis identified the press, instantaneous photography, newspaper, and numerous mechanical devices as the new threats to privacy.
- Currently, the world is facing greater surveillance and data abuse practices than at any other moment in human history perpetrated by corporations and governments. Simply put, we are truly living in the golden age of surveillance. Currently, the use of the internet has become as pervasive and necessary as the oxygen we inhale. Seamless connectivity has become the norm, and impossible to unplug. As of January 2023, there were about 5.16 billion internet users worldwide. This accounts for about two-thirds of the global population. Comparatively, less than 1% of the world’s population was online a quarter-century ago. For many, it is now virtually impossible to imagine life without the internet.
- From a theological perspective, Christianity and Islam recognize the right to privacy. Both give great importance to the fundamental human right to privacy. To many Muslims, the Qur’an is the Magna Carta of human rights since a large part of its concern is to free human beings from the bondage of authoritarianism. The Qur’an recognizes the need for privacy as a human right and lays down rules for protecting an individual’s life from undue intrusion. This is evident from the some of the verses of the Holy Quran: ‘Do not spy on one another’ (49:12); ‘Do not enter any houses except your own homes unless you are sure of their occupants’ consent’ (24:27).
- Biblically, the narrative of privacy is addressed “in principio“ in the very first pages of Genesis. In Genesis 3:7. The Holy book does not treat lightly any breach of privacy, whether intentional or accidental. It directs that one should avoid invading another’s privacy, understanding that each person expects his privacy to be respected. The Bible offers a two-sided approach to privacy: it is understood to be fragile and easily violable, but at the same time recognized as a right of high regard.
- From the foregoing, it is evident that the right to privacy has presently gained more emphasis than in the days when our Scriptures were written.
C. THE CONCEPT OF ENCRYPTION
- Encryption is a technical term used to describe ‘the manner by which communications such as text messages, emails, phone calls and video chats are secured against access by anyone who is not the intended recipient. The act of encryption is the mathematical manipulation of information to render it readable solely by the person or persons intended to receive it. It uses the art of cryptography, which is the art of converting data to a format that is unreadable without the aid of a tool or additional information. It’s therefore the science of encrypting and decrypting information.
- Strong encryption has been around for years. For instance, Apple uses FileVault while Microsoft uses BitLocker to encrypt data on computer hard drives. PGP encrypts e-mail. Off-the-Record encrypts chat sessions while HTTPS-Everywhere encrypts our browsing. Android phones come with built-in encryption.
D. TYPES OF ENCRYPTIONS
- There are three types of encryptions namely End to end encryption which exists when the keys to decrypt communications are held exclusively by the sender and recipient of the communication like in WhatsApp; Disk or device encryption which is the process by which all of the information stored in computers or smartphones is encrypted; and Transport Encryption or Transport Layer Encryption which is the practice of encrypting information and data as it traverses a computer network, for example when accessing a website or sending an email. For example https.
- It is discernable from the types of encryptions that encryption essentially ensures that only the intended recipient can read, listen to or watch any communication that is transmitted to them. Encryption thus ensures the privacy and security of any communications transmitted through any tools and services that use encryption.
E. ENCRYPTION AS A HUMAN RIGHT ISSUE
- From a human rights perspective, the world is rapidly developing awareness of the fact that encryption is a vital instrument for realizing a free, safe, open and trustworthy Internet. It is therefore crucial to recognise the role that anonymity and encryption play as an enabler of the right to privacy and freedom of expression. With respect to encryption, it’s noteworthy that the rights of privacy and data protection and freedom of expression and information are co-equal human rights. Access to encryption, or the lack thereof, may also have an impact on other rights such as the right to peaceful assembly and association.
- The court in Philip R. Karn, v U.S. Department of State and another 107 F.3d 923 (D.C. Cir. 1997) held that knowingly making an encryption tool weaker threatens their ability to safeguard data, and without proper legal procedure, infringes on fundamental human rights. On this subject, Bruce Schneier posits, “Encryption must be unbreakable by everyone, even those with legitimate intentions, in order for it to be effective against those with illegitimate intentions.” This is the main reason why its deployment, promotion and use in many jurisdictions have become the focus of political debate and the target of legislative measures.
- Amnesty International opines that access to and use of encryption is an enabler of the right to privacy since it protects communications from spying thus helping people share their opinion with others without reprisals and ensuring safe access to information on the web. Additionally, they make it clear that encryption is an enabler of the rights to freedom of expression and opinion, and further has an impact on the rights to freedom of peaceful assembly, association and other human rights in the bill of rights.
- It is particularly a critical tool for human rights defenders, activists and journalists, all of whom rely on it with increasing frequency to protect their security and that of others against unlawful surveillance.
- Conversely to the foregoing, encryption has also been added to the ever-growing list of technologies that can be used for significant good or significant ill. It has had a share of drawbacks such as being a tool that protects dissident activities from lawful authorities.
F. PROTECTING THE RIGHTS TO PRIVACY AND FREEDOM OF EXPRESSION IN THE DIGITAL AGE
- Article 31 of the Constitution of Kenya provides for the right to privacy. It provides that every person has the right not to have their privacy, private life or communication infringed on or unnecessarily revealed. Article 33 provides the right to freedom of expression which encompasses the freedom to seek, receive or impart information without unnecessary limitation. The Data Protection Act, 2019 also provides for the protection of these rights and has set progressive standards for access to information.
- Internationally, freedom of expression is recognized under Article 19 of the Universal Declaration of Human Rights which provides that everyone shall have the right to hold opinions without interference. In addition, the International Covenant on Civil and Political Rights (ICCPR) provides that everyone shall have the right to freedom of expression which includes freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice”.
- The UN Special Rapporteurs on the promotion and protection of the right to freedom of opinion and expression have numerously confirmed that encryption is an enabler of human rights in the field of information and communication. David Kaye, the current UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression made a report in 2015 that assessed the use of encryption and anonymity in exercising the rights to freedom of opinion and expression. In his report, he recognizes the essential role of encryption and anonymity in realizing human rights protected under international law. What precisely came out is the point that this technology “provides individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks.” Kaye makes a number of important recommendations, including that states should not attempt to weaken digital security standards, and that all stakeholders, including corporate actors, should encourage ubiquitous “use of encryption and anonymity tools and better digital literacy.”
- Flowing from the above, it is limpid that encryption provides for anonymity which in turn enables individuals to protect their privacy thus empowering them to develop and share opinions and information without interference.
- Similarly, in 2013, the former Special Rapporteur Frank La Rue Report on the implications of States’ surveillance of communications on the exercise of the human rights to privacy and to freedom of opinion and expression concluded that “States must refrain from forcing the private sector to implement measures compromising the privacy, security and anonymity of communications services, including requiring the construction of interception capabilities for State surveillance purposes or prohibiting the use of encryption.”
- The internet has come about through an evolutionary process in which repeated large data breaches, hacked websites, and identity and credit card theft have been inevitably superseded by measures to extend and strengthen encryption. This evolution has been accelerated in recent years thus making it clear that the security and privacy of communications are under threat. This shows that there is an exigent need to ensure the protection of these two rights. In our contemporary world, this protection is not only aimed against online criminals and identity thieves but also against the government. Many governments across the globe have had the tendency of spying on their citizens which is a contravention of their inherent right to privacy. This is undeniably erroneous consequently increasing the ubiquity of encryption. When encryption is employed, the internet becomes a vehicle to which individuals entrust their most intimate thoughts such as their sexuality or religious beliefs and a vast amount of personal information.
- Advances in technology have ensured an increase in the amount of personal information that individuals store on internet-connected devices and transmitted across networks. Many governments have thus been conducting unjustified surveillance which violates their citizen’s right to privacy. Some governments have also outlawed the use of encryption while some try to weaken encryption technology that their citizens should use. In effect, they are preventing their people from using the best available technology to protect their data and their communications which ensures that they do not fully enjoy their rights to privacy and freedom of expression. All this literature takes one-point home- encryption allows us to protect ourselves from violations of our right to privacy by governments and online criminals.
- A good case example of government surveillance is The Edward Snowden Revelations. In 2013, a series of revelations about indiscriminate mass surveillance by the USA’s National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ) was revealed to the media. Edward Snowden, a whistleblower who had worked with the NSA, provided concrete evidence of global communications surveillance programs that monitors the internet and phone activity of hundreds of millions of people across the world. The revelations included evidence that an NSA program started in 2009 allowed the agency to record, store and analyze metadata related to every single telephone call and text message transmitted in several countries such as Mexico, the Philippines and even our own Kenya. Additionally, it was reported that these two agencies also hacked into the internal computer network of Gemalto, the largest manufacturer of SIM cards in the world, possibly stealing billions of encryption keys used to protect the privacy of mobile phone communications around the world.
- In Riley v California [2014], the Supreme Court of the USA reiterated the importance of protecting the data that people store in their telecommunication devices. The Supreme Court made an interesting comment regarding these modern times. It noted that there is a new digital landscape and that modern cell phones are such a pervasive and insistent part of daily life that a proverbial visitor from Mars might conclude that they were an important feature of the human anatomy. The court further acknowledged the need to strike a balance between individual privacy and legitimate government interests. This ruling implies that people should be allowed to utilize the best available encryption techniques to protect their information from the use of lawful authorities who pry at their information just as criminals do.
- Resultantly, it’s only by securing communications against outside interference that ordinary internet users, human rights defenders, opposition politicians, political activists, and investigative journalists can protect themselves from cybercrime as well as from the prying eye of governments all around the world.
G. DATA PROTECTION LEGISLATIONS
- UNCTAD reports that as of this year 2023, over 137 of the 194 jurisdictions have enacted data privacy laws. In Africa, only 15 countries lack enacted or drafted data protection legislation. One of the key principles for the fair and lawful processing of personal information regulated by such data protection laws is the principle of security. This principle implies that proper security measures are taken to ensure the protection of personal data against unlawful access by others than intended recipients. In basic terms, this ensures the enjoyment of the right to privacy.
- In November 2019, Kenya passed what is regarded as a progressive and comprehensive act- the Data Protection Act of 2019. The Act contains an advanced set of provisions with respect to the security of personal data, which are widely accepted by many as cornerstones for the protection of privacy in the digital era. Encryption is thus of particular relevance to the implementation of privacy and data protection by design.
- In the regional context, many African countries have adopted the African Union Convention on Cyber Security and Personal Data Protection. This Convention contains provisions on personal data protection that aim at ensuring that data privacy is always protected. It contains a number of provisions for the security of personal data processing. Since legal issues surrounding data protection and encryption aren’t so deeply rooted in this continent, the provisions of the Convention will help shape approaches to internet policy-making and governance across the continent to ensure that citizens enjoy their rights fully.
- Zeid Ra’ad Al Hussein, the UN High Commissioner for Human Rights, opined as that encryption and anonymity are needed as enablers of both freedom of expressions and opinions, and the right to privacy. It is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered. In the worst cases, a government’s ability to break into its citizens’ phones may lead to the persecution of individuals who are simply exercising their fundamental human rights.”
- The fundamental right to privacy has been recognized in various jurisdictions in several landmark cases. In Kenya Human Rights Commission v Communications Authority of Kenya and 4 Others [2017] eKLR, the petitioner averred that CAK had plans to introduce a generic device management system (DMS) for spying on mobile and communication devices of Kenyans without public consultations or public participation. They posited that the DMS will access the networks of the mobile service providers and therefore the devices and device information of the mobile service subscribers. They argued that this system will have the effect of unduly, unreasonable and without any justification, limiting the right to privacy of Kenyans. The court held in favour of the petitioners by succinctly declaring the fundamental right to privacy and stating that the policy seeking to implement the DMS System was adopted in a manner inconsistent with the provisions of the Constitution. In the USA, the Court in Katz v. United States held that the Government’s activities to electronically listen and record the petitioner’s words violated the privacy upon which he justifiably relied.
- These two matters show us that privacy is a fundamental human right that is central to the protection of human dignity and forms the basis of any democratic society. It also supports and reinforces other rights, such as freedom of expression, information, and association. The right to privacy embodies the presumption that individuals should have an area of autonomous development, interaction, and liberty, a “private sphere” with or without interaction with others, free from arbitrary state intervention and from excessive unsolicited intervention by other uninvited individuals.
- Activities that restrict the right to privacy, such as surveillance and censorship, can only be justified when they are prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued. Privacy like other rights in the Bill of Rights is not an absolute right; nevertheless, any activity aimed at limiting the right of citizens to protect their data via cryptographic techniques should withstand the test of the permissible restrictions of Article 24 of the Constitution of Kenya.
H. LIMITATION ON THE RIGHT TO USE ENCRYPTION
- Limitations on encryption represent an interference with the enjoyment of the rights to privacy and freedom of expression, which must be justified as permissible in accordance with human rights law. These two rights are often understood as mutually reinforcing rights.
- First, for a restriction on encryption to be considered legal, it must be precise, public and transparent, and avoid providing State authorities with unbounded discretion to apply the limitation. This is completely contrary to what was observed in Kenya Human Rights Commission v Communications Authority of Kenya and 4 Others [2017] eKLR whereby the CAK acted without public participation or consultation. In this sense, proposals to impose restrictions on encryption or anonymity should be subject to public scrutiny and only be adopted, if at all, according to the regular legislative process. On this matter, Amnesty International underscores that strong procedural and judicial safeguards should also be applied to guarantee the due process rights of any individual whose use of encryption or anonymity is subject to restriction.
- Secondly, limitations may only be justified to protect specified interests: rights or reputations of others; national security; public order; public health or morals which are fundamental freedoms of the citizens.
- Third, the State must show that any restriction on encryption or anonymity is absolutely ‘necessary’ to achieve a legitimate objective. This is what can be termed the language of proportionality. When employing this language of proportionality, the government should ask whether the end could be pursued by less drastic means. A proportionality assessment should ensure that the restriction is the least intrusive instrument amongst those which might achieve the desired result. The restriction of an individual’s right to privacy must be something more than useful, reasonable or desirable.
I. ENCRYPTION AND NATIONAL SECURITY: THE “GOING DARK” DEBATE
- In our contemporary society, government officials have begun to publicly speak out against strong encryption over fears of “going dark” – a concept originally used by US law enforcement to describe the declining capabilities of law enforcement agencies to access the content of communications due to the increased use of encryption in everyday communication technologies and services.
- Crimes by use of technology are very dynamic and ever-increasing. The controversy over encryption stems from a practical component of computer security: by securing communications against illegitimate interference by criminals, encryption also secures communications against both illegitimate and legitimate interference by government authorities. It is for this reason that its deployment, promotion and use have become the focus of political debate and the target of legislative measures in several jurisdictions.
- Governments’ criticism of encryption has increased against the backdrop of a generalized fear, promoted by security agencies that the internet is proving a hospitable environment for terrorism-related activities and cyber criminals as observed in the FBI v Apple [2016] case. A number of key figures have come forward to condemn encryption and its providers for fostering “safe spaces” for criminals. Former British Prime Minister David Cameron in 2015 stated; “we cannot allow modern forms of communication to be exempt from the ability to be listened to.”
- In FBI v Apple, these two parties were engaged in a public argument over the issue of encryption due to Apple’s increasing use of strong encryption in its products. This came to head when the FBI sought to unlock an iPhone 5C used by one of the shooters in an attack in San Bernardino, California, that left 14 dead in December 2015. On 16th February 2016, in response to a request by the US Department of Justice, a federal magistrate judge ordered Apple to create a custom version of its iOS 8 operating system that would allow investigators on the case to get around the phone’s security features. Apple’s Chief Executive Officer, Tim Cook, responded in an open letter, in which he stated that the government’s demands constituted a breach of privacy. Cook further said that the U.S. government was asking for something that they didn’t have, and something they considered too dangerous to create; which was “to build a backdoor to the iPhone.”
- Many organizations supported Apple’s stance on that matter which was a widely held view among those opposing the FBI’s request, including Amnesty International which averred that if Apple was compelled to modify its software to unlock that phone, it would set a precedent that could allow the US government and potentially other governments to compel technology companies to weaken or otherwise circumvent their encryption by providing a ‘backdoor’ to intelligence and other security agencies. ‘
- Essentially, ‘backdoor’ is an informal term used to refer to technical measures that weaken or undermine encryption tools, devices and services in order to facilitate access to information and communications by actors other than the service provider, and parties to, the information or communications. Some of the measures that states can take to compel service providers to create backdoors include diminishing the strength of encryption used in encryption tools, devices and services; or deploying only approved forms of encryption or specific state-approved random number generators used for generating encryption keys.
- Regarding this matter, the UN High Commissioner for Human Rights stated: “A successful case against Apple in the US will set a precedent that may make it impossible for Apple or any other major international IT company to safeguard their clients’ privacy anywhere in the world… It is potentially a gift to authoritarian regimes, as well as to criminal hackers.”
- Contrary to the above assertions, many law enforcement authorities posit that full-disk encryption common in the devices we use significantly limits their capacity to investigate crimes and severely undermines their efficiency in the fight against terrorism, thereby posing the question; “why should they permit criminal activity to thrive in a medium unavailable to law enforcement?” Some averred that to investigate these cases without smartphone data is to proceed with one hand tied behind their backs as seen in the San Bernardino shooting case.
- We, however, support the contention that strong encryption protects us from a panoply of threats from online criminal and lawful authorities. Thus, our stance on the going dark debate and creating a backdoor is that it is impossible to build a backdoor that is only accessible to the good guys since the bad guys will also find a way in.
J. CONCLUSION
- In the digital age, access to and use of encryption techniques is an enabler of the rights to privacy and freedom of expression, among other rights. Without encryption, a great risk would subsist. The contemporary world is experiencing higher reliance on electronic commerce and the use of networked communication for all manner of activities. This suggests that a lot of information about people is being stored online and in telecommunication devices thus raising questions about the security of that information. The digital revolution age has made security more and more critical and encryption is recognized as the most powerful single tool that users can use to secure the internet.
This article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact ICT Law & Data Protection Department at ICTWA@wamaeallen.com
More Legal Updates |
About the author
His main areas of practice include: Employment and Labour Law, Human Rights Law, Banking and Finance Law Conveyancing and Alternative Dispute Resolution Commercial Law
Academic Qualifications
ATP (Postgraduate Diploma), Kenya School of Law, 2019
LLB (Hons), Moi University, School of Law, 2018
Professional Qualifications
Member, Law Society of Kenya