How Undermining Encryption threatens Online User Security in Africa
By Arthur Gwagwa
Encryption as in integral component of anonymity and circumvention of encryption has come under threat in an already embattled right to privacy and free expression landscape in Africa. This is evidenced by recent events in Uganda, where the government ordered telecommunication service providers to block Virtual Private Networks (VPN) applications to address social media ‘tax evasion’. The national regulator — Uganda Communications Commission — also unduly influenced Ugandans not to use VPNs arguing that the cost of such services would exceed the proposed tax. Despite the current attempts to reverse its decision, the attempt places Uganda on the list of countries that have previously taken measures to undermine encryption in Africa and elsewhere. This article examines examples of efforts to limit public access and use of encryption tools, international efforts to leverage open source and commercial encryption, international norms and standards governing encryption and recommends measures that support the use of encryption technologies.
Uganda’s proposal raises new challenges for activists and human rights defenders in the country and potentially across Africa as their means of communication becomes a means for repression. Apart from helping activists, circumvention technologies have helped internet users in countries such as the Gambia to access social media for communication with friends and families during partial internet shutdowns and also for, girls, women and sexual minorities in East Africa to preserve their online privacy. The current regional challenge could not have come at a worse time especially given the recent decision by Google and Amazon to block “domain fronting,” which has been used by the encrypted communications app Signal. The Ugandan proposal increases the potential that the Ugandan repressive state will spy on its citizens and further clamp down on free speech beyond using it as a tool to enforce tax compliance.
Further, the attempts add Uganda to a list of African countries that have displayed an inimical attitude towards encryption and anonymity online. For instance in Tanzania with online regulations that requires internet cafes to have static IP addresses, Zimbabwe, where there were attempts to strip the anonymity of a popular blogger. Also in Zimbabwe, the regulator banned Blackberry Messengers because its encryption services undermined provisions for lawful interception under the Interceptions of Communications Act, 2007. There is also criminalisation of the use of digital and encryption tools in Ethiopia, and attempts to ban anonymous social media posts in Lesotho. In our view, the current attempts to build local mobile applications in Ethiopia and Zimbabwe are yet other attempts to roll out un-encrypted apps including those with state-approved algorithms.
Examples of efforts to limit public access and use of encryption tools
In their recent report, Citizen Lab and The Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic provide a comprehensive list of efforts to limit public access and use of encryption tools, including:
- Criminalisation and encryption bans
- Censorship of encryption tools
- Limits on key strength, choice of algorithms, or use of end to end encryption
- Export controls
- Covert efforts to undermine encryption; and
- Measures that target intermediaries, for example, backdoors access.
Criminalisation and banning of encryption may be direct like in the case of Ethiopia or indirectly in Zimbabwe where the regulator banned Blackberry Messenger because of its encryption capabilities. Also, under the Interceptions of Communications Act, telecommunications services should have the ability to be intercepted. The same law also opens the door to require telecommunications providers to retain data about their customers and their communications, so that officials can access it.
Regarding censorship of circumvention tools, countries like Egypt, just like in Venezuela, routinely censor circumvention technologies. A recent OONI report says, In Egypt, ISPs seem to apply “defence in depth” tactics for network filtering by creating multiple layers of censorship that make circumvention harder. Not only were numerous circumvention tool sites (including torproject.org and psiphon.ca) blocked, but access to the Tor network appears to be blocked as well, according to the report.
Under the covert efforts, intelligence agencies can covertly weaken encryption standards and tools of general application as well as disseminate those compromised tools internationally. The agencies may be directly involved in the standard setting process for the purpose of injecting weaknesses into the very foundation of certain cryptographic tools. Governments and their agencies can then use that knowledge of the weaknesses introduced, to exploit those systems more easily. On the measures that target intermediaries, governments may not ban encryption but require intermediaries to give them access in ‘exceptional cases’. However, ‘exceptional access’ may be exploited and used for human rights violations.
International efforts to leverage Open Source and Commercial Encryption
In light of the importance of encryption in protecting individual liberties, commercial interests and national security, the Ugandan and other African governments should take technical measures to increase security and user confidence online. Encryption, either for civilian or for commercial purposes, is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible. For the entire system to work, encryption software itself must be trustworthy. Users of encryption must be confident, and justifiably confident, that only those people they designate can decrypt their data.
The U.S., through the Internet Freedom Fund, has invested in programs that promote the development and use of encryption technology although such noble efforts came under scrutiny in the aftermath of the Snowden revelations. Nevertheless, U.S. government organisations such as the Open Technology Fund have done sterling work, independent from the U.S. Government, by funding the development of projects and tools such as Signal, Lantern, and Tor based on open source encryption to enable human rights activists and bloggers to exercise their human rights freely and safely online. For example, Psiphon has helped around 10 000 Iranians to access a restricted Internet. It is also popular in Ethiopia.
Similarly, the use of reliable encryption software to safeguard data is critical to many sectors and organizations, including financial services, medicine and healthcare, research and development, and other critical infrastructures around the world. Encryption-related software, including pervasive examples such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI), is essential to online commerce and user authentication. It is part of the underpinning of current communications networks.
International norms and standards
Article 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights guarantees individuals’ right to access information “regardless of frontiers,”
Echoing these provisions, in his first report to the Human Rights Council, the Special Rapporteur on freedom of opinion and expression, David Kaye, noted that encryption and anonymity in digital communications deserve strong protection to safeguard individuals’ right to exercise their freedom of opinion and expression.
While Africa is facing a number of threats like ransomware and cryptolocker as pointed out in the Symantec Report, but also terrorism and child exploitation, laws, practices and policies that ban, restrict, or otherwise undermine encryption and anonymity — all in the name of public order or counter-terrorism significantly and disproportionate damage the rights enshrined in Article 19.
When States legitimately need access to encrypted or anonymous information, they should only seek it through a judicial process. Kaye also recommends against compelling private companies to install encryption vulnerabilities for Government access, because this would make companies’ digital networks vulnerable to criminal activity or hostile State action. The Rapporteur further recommends that States protect and promote the use of encryption as a matter of digital security.
The proposed move in Uganda and related practices elsewhere in Africa go against best practice towards the protection of anonymity in digital communications in light of David Kaye’s recommendations. In the digital area of mass surveillance, encryption is not a side-bar or footnote in the free expression discourse but can make the difference between life and death for journalists, bloggers and human rights defenders operating in repressive environments as was the case in Ethiopia and the Gambia before the current reforms. This also includes in democracies like Kenya where, according to Privacy International report, surveillance is a matter of life and death. In Zimbabwe, a prolific blogger used anonymity to expose government corruption.
Given its importance in free expression and preserving online confidentiality, any ban including the proposed ban on encryption and anonymity should meet the test of legality, necessity and proportionality under international law but must also, in addition, and comply with industry best practice in their application. Practices that seek to lift the cover of anonymity from bloggers who expose government corruption, including through humorous cartoons do not meet the three-pronged test.
Also given Africa’s financial markets ‘vulnerability to cyber-attacks, weakening encryption protocols may further expose financial institutions and other critical infrastructure to cyber-attacks.
To secure liberty in the digital world, African governments and tech giants should adopt the normative recommendations outlined above and evolving evidence-based good practice, to:
- Fully support and not undermine efforts to create encryption standards;
- Not in any way subvert, undermine, weaken, or make vulnerable generally available commercial and open source software; and
- Increase the use of encryption and urge companies and civil society to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
Main cited works.
Lex Gill, Tamir Israel, and Christopher Parsons (May 2018), “Shining a Light on the Encryption Debate. A Canadian Field Guide,” Citizen Lab and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic < https://bit.ly/2lVGDK0>
Liberty and security in a changing world < https://bit.ly/2tHjUDo>
Human rights, encryption and anonymity in a digital age< https://bit.ly/2KNOJiw>
N.B: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of the African Academic Network on Internet Policy.