Categories
Encryption Strengthening the Internet

Chapter Leaders Worldwide Make the Case for Strong Encryption

What makes a great leader? Earlier this year, 473 Chapter Members participated in the 2020 Chapters Training Program. The Internet Society kicked off the program with a lot of hope and excitement. This was an opportunity to harness the power of us – our global community – to incubate innovative ideas and tomorrow’s Internet leaders.

The program aimed to develop new community leaders to work with their Chapters, create local awareness of the Internet Society’s mission-driven work, and become involved in Action Plan projects, including Encryption.

Each time we share information on the Internet, we assume that only our selected recipients – and no one else – will receive and read it. But how can we be sure? Ursula Wyss of the Switzerland Chapter says, this is “where end-to-end encryption comes in, since it ensures that only you and those people who are intentionally included in the conversation can read the messages that are being exchanged. This is done by scrambling the message in a way that it can only be read by those who have the right encryption key to unscramble it. For everyone else, the messages remain scrambled.”

The Encryption Chapters Training Program was developed to equip Chapter Leaders with knowledge and tools to engage their members locally in an impactful and informed way. It included 139 trainees from 66 Chapters. They watched 10 videos and attended a two-hour training session with Internet Society staff and experts from the community, including Chapter Leaders from Germany, the U.S., Canada, India, Ghana, and Bolivia as well as partners such as Derechos Digitales.

Why Does Encryption Matter?

“With an escalation in hackings over the past decade, breaches in our private data are of ubiquitous meaning now more than ever and, for this, encryption is key,” writes Loide Uuzigo of the Namibia Chapter in “The Time For Encryption Is Now.

Encryption safeguards the personal security of billions of people and the national security of countries around the world. These are just a few examples of how:

Internet privacy concerns are real: Encryption helps protect your online privacy by turning personal information into “for your eyes only” messages, seen only by the parties it’s shared with.

Hacking is big money: Cybercrime is a global business, often run by multinational outfits. Many of the headline-making large-scale data breaches demonstrate that cybercriminals are often out to steal personal information for financial gain. End-to-end encryption, the most secure form of encryption, ensures that sensitive, confidential information transmitted by billions of people online every day remains confidential and out of the hands of criminals.

Online health and learning solutions rely on it: With people worldwide increasingly relying on telehealth and remote learning during a pandemic, encryption is a must. For instance, in the U.S. the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to implement security features that help protect patients’ sensitive health information online.

Once armed with information, the Encryption Chapters Training Program trainees developed local initiatives to amplify awareness of the critical role encryption plays in our everyday lives. Here are a few of the submissions that stood out:

Encryption helps protect private information, sensitive data, and can enhance the security of communication between two parties,” says Theorose Elikplim Dzineku, an Internet Society Ghana Chapter Member. “Whereas the Internet proposes a host of ways to communicate with friends, co-workers, and complete strangers, it also allows third parties to intrude on those communications, as well as track online conversations and activities. Using encryption tools helps individuals keep communications secret and protect swapping activities of personal tales with a friend or transacting important business with a client.”

Says Rahabu Sakilali of Tanzania, “with the COVID-19 pandemic, virtual conferencing and social media became the go-to place to hold lessons, business meetings and sensitive discussions. Encryption makes the virtual platforms safe!  End-to-end encryption protects ourselves and our data. It also helps us be sure who we are communicating with, sign digital documents and ensure the recipient is authentic.”

Effective encryption is a foundation for us to build trust on the Internet”, states Josephine Nampala of the Uganda Internet Society Chapter. In fact, during the COVID-19 pandemic, end-to-end encryption’s got us covered. “With the social distancing that is required to control the pandemic, many enterprises are opting to operate remotely. As well, many people are trying so much to keep close to their loved ones through different online platforms.” In these situations, we need to be sensitive about our privacy online, and strong encryption is key for us to trust the Internet.

Many trainees shared Spanish-language resources, too. Highlights include this video from Oscar Danilo González Navarrete of the Nicaragua Chapter, a blog post from Fernando Manuel Morales Rodas of the Guatemala Chapter, which includes videos that explain Encryption in a simple way, and a blog post from Osvaldo Juan Encinas Moreno of the Venezuela Chapter, who highlights the importance of digital education for those in vulnerable groups.

These are only a few examples of how we all depend on encryption every day of our lives. Effective encryption is key to secure online communications, from financial transactions to healthcare. It is the foundation upon which a trustworthy Internet is built.

Got an interesting story about how encryption is a critical part of securing out day-to-day experiences safe online? We want to hear it! Write to us at encryption@isoc.org.

Categories
Encryption Strengthening the Internet

Don’t Forget Cybersecurity on Your Back-to-School List

This opinion piece was originally published in Dark Reading.

School systems don’t seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.

Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.

Before examining cybersecurity needs in school systems, it’s important to understand what’s at stake. On the surface, school systems don’t appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents’ financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.

In recent years, schools have also seen an increase in debilitating ransomware attacks, even prompting an FBI alert this summer highlighting increased abuse of the Remote Desktop Protocol (RDP) to plant ransomware on school systems.

The security challenges are amplified by the move to more online learning and administration, specifically:

  • Systems that were designed to be accessed on internal networks now need remote access.
  • A wide variety of devices that were never connected to the school’s network now need regular access to services.
  • The type of access needed has expanded well beyond posting of class assignments online. It now includes everything from live classrooms to access to administrative tools and health services.

These additional requirements significantly expand the attack surface, compounding the risks. This brings a largely un-cybersecurity educated set of users into play, placing additional stress on school IT staff who are already typically stretched thin.

So, who is responsible to ensure that these systems and their users are safe? In this case, all layers of the ecosystem – vendors, school districts, and students/parents – have a role to play.

Vendors need to recognize the shift to remote use and provide appropriate built-in security.

School district staff need to choose tools that have appropriate security controls and establish strong cybersecurity practices for staff and students.

Students (and their parents) need to protect themselves and the school’s systems by practicing strong cyber hygiene.

Here are some practical guidelines for each group.

Vendors Need to Raise the Security Bar
To cover the full range of needs, there are many applications and websites for school district staff to consider – most of these apps, websites, and software products are developed primarily to deliver certain capabilities and levels of functionality and may not incorporate strong security practices. These include limiting access by type of account, encrypting communication and data at rest, offering multi-factor authentication (MFA) to limit illicit access, and securing data on hosted cloud platforms.

As usage continues to increase, vendors need to bolster the security of their products to prevent breaches and disruption of their services.

School Staff: The Critical Role
School district staff has the most critical role to play in ensuring proper levels of cybersecurity, as they’re responsible for making the choices regarding what tools to offer students and parents, as well as setting up the networks for teachers, students/parents, and administrators.

As with any enterprise, school district staff need to follow strong cybersecurity practices. In March, the Consortium for School Networking (CoSN) issued Cybersecurity Considerations in a COVID-19 World to provide guidance to staff on how to best protect their networks and users. The recommended best practices include guidelines related to classroom supervision, layered permissions, Web content filtering, encrypting data, and protecting devices.

In addition to adhering to CoSN’s guidelines, staff should carefully select which online learning tools to use, make cybersecurity part of the decision-making criteria when selecting digital tools, and not hesitate to demand stronger security capabilities from existing vendors.

Students and Parents: Empowering End Users
It’s critical that students and parents take concrete steps to empower themselves to be safer when engaging in remote learning online, as failure to properly secure their access can have negative side effects on both the school systems and systems used in their household, which likely include corporate systems in our new work-at-home world.

Though students and parents are at the mercy of the choice of tools made by the school, they can still practice good cyber hygiene by using strong passwords, enabling multi-factor authentication, changing default passwords on devices in the home to prevent illicit access, exercising care in sites they visit, and choosing strongly encrypted services for their personal use.

Given the massive increase in video conferencing use since the start of the pandemic, it’s also important for students and parents to make smart choices regarding those services. Mozilla released a guide to videoconferencing services, assessing them against minimum security guidelines, as part of their “*privacy not included” series. This is a valuable resource for students and parents.

Back to school 2020 will certainly be unique, as schools scramble to figure out how to provide education in the context of an ever-shifting coronavirus backdrop. With a continued shift to online learning, maintaining a strong focus on cybersecurity is more important than ever.


Image by Element5 Digital via Unsplash

Categories
Encryption Strengthening the Internet

Latest U.S. ‘Anti-Encryption’ Bill Threatens Security of Millions

The Lawful Access to Encrypted Data Act recently introduced to U.S. Congress may be the worse in a recent string of attacks on encryption, our strongest digital security tool online.

While the recently-amended EARN IT Act would leave strong encryption on unstable ground if passed into law, the Lawful Access to Encrypted Data Act (LAEDA) is a direct assault on the tool millions of people rely on for personal and national security each day.

LAEDA would facilitate the death of end-to-end encryption by forcing companies to provide “technical assistance” to access encrypted data upon request by law enforcement investigations.

The problem is the only way for companies to comply would be to build backdoors into their products and services, or not use encryption at all, making everyone more vulnerable to the same crime we are all trying to prevent. To be clear – we’re talking about the same encryption used to keep activities like online banking, working from home, telehealth, and talking with friends secure online.

The Internet Society raised its concerns in an open letter to the co-sponsors of LAEDA in the Senate, which was signed by over 75 global cybersecurity experts, civil society organizations, companies, and trade associations. According to signatories, the bill “is too technically flawed to be effective and will force companies to make their products less secure.”

To make matters worse, the proposed LAEDA is only the most recent attack on end-to-end encryption from a member of the Five Eyes alliance (the United States, United Kingdom, Canada, Australia, and New Zealand).

United States supporters of “backdoor access” are following the footsteps of the United Kingdom’s Investigatory Powers Act and Australia’s “Assistance and Access” or TOLA Act. Similar to these laws, which it is clearly modeled on, LAEDA would require companies or their employees to comply with government demands for “technical assistance” in law enforcement investigations. These requirements would inevitably force companies to build encryption backdoors.

We’ve said it before, and it’s worth repeating:

There is no way to provide backdoor access to end-to-end encrypted data without weakening security for all users.

The Lawful Access to Encrypted Data Act would not only make Americans more at risk to the crime it’s trying to prevent – but everyone worldwide who relies on American products and services that use encryption to keep them secure online.


Image by Matthew T Rader via Unsplash

Categories
Encryption Strengthening the Internet

The Internet “Just Works”: The EARN IT Act Threatens That and More

When the EARN IT Act was introduced in March 2020, technologists, civil society organizations, academics, and even a former FBI General Counsel blasted the bill as a thinly veiled attempt to prevent platforms from keeping users safe with strong encryption. The bill had implications for intermediary liability, of course, but it was clearly a play to take down the strongest digital security tool we have online.

The EARN IT Act is now a monstrous version of its previous self. It would not only weaken the ability of platforms to protect users through encryption, but fundamentally alter how platforms operate, leading to dangerous consequences for users and the global Internet.

While the new version of the bill would prevent the federal government from forcing platforms to weaken encryption to maintain their intermediary liability protection (a foundational aspect of most companies’ business plans), it would essentially allow states to pass their own version of the original EARN IT Act. This would create a chaotic patchwork of state-level laws, threatening user security across the country and creating borders for a networking system that was never meant to recognize them. This bill would not only weaken the ability of platforms to protect users through encryption, but fundamentally alter how platforms operate, leading to dangerous consequences for users and the global Internet.

EARN IT: Don’t Solve a Problem by Creating 1,000 More

Most of us use the Internet for just about every part of daily life: banking, work, entertainment, education – and we use it to communicate with friends and family about some of the most important issues our country faces.

We often take for granted that it “just works.” But that is not a certain future.

The EARN IT Act – and many other bills that have been introduced in weeks, months, and years past in an attempt to regulate content and security measures – threatens to undermine the way the Internet fundamentally operates and our ability to continue using it with the freedoms we now enjoy.

To be fair, these platforms don’t always get it right when it comes to figuring out what kinds of content  should or should not be permitted to spread online. But the benefit of keeping the onus on platforms to do their best is that we can leave if things aren’t working the way we want or expect. For example, just in the past week dozens of major advertisers have pulled their ads off of Facebook because the platform was not upholding the community’s expectations of what speech should be permitted.

And that’s the way it should be. Governments shouldn’t dictate what kind of content gets to exist online. The Internet is borderless, meaning conflicting legal obligations from different countries would force platforms to choose whose regulations to follow or to create a different Internet experience in every country. The EARN IT Act would shift the responsibility of ownership for content that should not be permitted online from individuals to platforms and make all user communications less secure in the process.

How Does the New EARN IT Act Threaten the Internet?

The new amendments to EARN IT get some things right – most importantly, its Commission of experts on online child sexual exploitation prevention would create a set of voluntary best practices that Congress would no longer have to approve. This means experts can work together to create a set of norms that companies can adapt to their own platforms.

This is a big improvement from the previous version of the bill, as it takes into consideration that large platforms have large staffs to handle complex requirements that may arise. Small platforms, new innovators, and mom-and-pop shops are lucky if they have one or two staff members handling all their tech related issues.

Unfortunately, the problems with the EARN IT Act overshadow its good intentions. Insufficient protections for encryption threaten to make all users more vulnerable to the crime it is trying to address. It also puts the digital economy at risk by taking away a key feature that has been essential for the Internet’s success: liability protection.

Although an amendment was added to the bill to provide protections for encryption, they are far from powerful enough. The protections from the amendment would be tested in state courts across the country, leaving strong encryption on unstable ground. Companies will face a choice, risk their future by implementing end-to-end encryption when it is unclear what the future holds for the legality of the technology in any of the states they operate in, or not take the risk and use less secure encryption. In an uncertain legal environment, companies will refrain from implementing end-to-end encryption, leaving all of us less safe.

On the intermediary liability protection side, this bill would lead to an incredible amount of uncertainty, especially because it does not create a solid floor for its reference to “knowledge” standards. Will platforms be held liable for content that passed over their site through secure channels that weren’t visible to the platform? Will they be held accountable only when the content is reported? Or will “knowledge” fall somewhere in the middle? These are pretty big gray areas for legislation and should be answered before a bill is passed, not after.

By our read, it seems like the bill allows a broad array of claims against platforms that fail to prevent child sexual abuse material from being distributed even if the platform had no knowledge that the content existed or was shared. This will likely ultimately lead platforms to be much more strict about any uploads to their site, which will stifle innovation, communication, and users’ ability to share important messages online.

As we’ve seen in recent weeks, these kinds of proactive filters often get it wrong – like when social media sites took down haunting photos of slaves from the 1800s because of “nudity,” not recognizing the wider context and important message those pictures presented.

This could also lock in the limited competitive marketplace we now enjoy online, as searching and filtering through all the content posted on a platform each day would be much too expensive and time consuming for new or small enterprises. The Internet is still relatively young as far as technologies go. Let’s not knee-cap it before we know what we could really create.

Too Complicated to Pass

The EARN IT Act is an attempt by policymakers to mandate an outcome, but they are doing it in a way that could seriously harm everyday users along the way. Child sexual exploitation is a horrible, heart-wrenching crime. But breaking key security and legal protections that are fundamental to how the Internet works doesn’t fix that problem. It just makes everyone more vulnerable to the crime and hate we’re trying to prevent online.

We need tech-neutral and tech-aware solutions to fix today’s problems in a way the doesn’t compromise our strongest tools to keep people – including children – safe online. We need policymakers to be thoughtful and considerate of the implications of their actions. This rushed-through markup of the EARN IT Act is neither.


Image by JJ Ying via Unsplash

Categories
Encryption Strengthening the Internet

Making Intermediaries Liable for Encrypted Content Breaks Trust and Security

In December 2018, the Indian Ministry of Electronics & Information Technology (MeitY) proposed a significant change to its intermediary rules. The draft Information Technology  [Intermediaries Guidelines (Amendment) Rules] 2018 seeks to tie tech platforms’ (e.g., social media) protections from liability to an obligation to monitor and filter their users’ content. One of the proposed obligations is to ensure the traceability of messages, even if a service is end-to-end encrypted.

India is just one of many countries around the world experimenting with the idea that Internet intermediaries – specifically social media companies, like Facebook and Twitter – should no longer have immunity from liability for the content shared by their users. Other examples include the U.S. Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 (the EARN IT Act), and the recent U.S. Executive Order on Preventing Online Censorship.

The motivation for changing the status quo varies, from wanting traceability of messages to counter the spread of disinformation or CSEM, to stopping objectionable content from being spread on social media, to preventing political messages from being labeled (e.g., as “misleading information”). Similarly, the approaches being considered to achieve this vary, ranging from outright removal of immunity, to conditional immunity (i.e., earned immunity), to a positive “duty of care.” But, no matter the motivation or the approach, the consequences for the future of the Internet and its security remain the same.

Make no mistake, proposals to change intermediary liability to force content monitoring or traceability on end-to-end encrypted services will undermine security on the Internet. Which is why we’ve produced a fact sheet, Intermediaries and Encryption, to explain why pressuring intermediaries to weaken security through liability is harmful – and counterproductive.

Trump’s Social Media Executive Order: Legal, Ethical, Smart?
In the wake of the United States Executive Order on Preventing Online Censorship, the Internet Society will host a virtual event focused on the broader issue of intermediary liability. Join experts as they discuss what it means for the future of speech and platforms online. Register for the event, which takes place Tuesday, June 9th at 1400 UTC!

We must resist approaches that require service providers to override people’s ability to secure their information and interactions. To do so places individuals and organizations at greater risk – with no guarantee of achieving the intended outcome.

It’s especially important now that we help keep people, infrastructure, and countries secure online. And we must protect the Internet as a global vehicle for innovation, education, and social and economic progress. We can do that with strong encryption policies and practices.

Read our fact sheet, Intermediaries and Encryption, and learn more about the unintended consequences that intermediary liability reform could have on the security of the Internet.

To learn more about the ways encryption is being undermined, read our other fact sheets.

Categories
Encryption Strengthening the Internet

There’s No Duty of Care without Strong Encryption

On 15 May, the Telegraph reported that The Five Eyes intelligence alliance planned to meet to explore legal options to block plans to implement end-to-end encryption on Facebook Messenger. According to the UK-based newspaper, the discussions between the governments of the United States, the United Kingdom, Australia, Canada, and New Zealand would focus on how the “duty of care,” a basic concept found in tort law, could be stretched to force online platforms to remove or refrain from implementing end-to-end encryption. (A duty of care is the legal responsibility of a person or organization to avoid any behaviors or omissions that could reasonably be foreseen to cause harm to others.)

If this is true, this is an attempt to justify their calls for encryption backdoors.

It’s easy to predict what such a strategy might look like – the playbook is familiar. In this case, if duty of care becomes the rationale for banning end-to-end encryption, it could be used as a framework to ban future deployments. Additionally, similar to other legislation, including the Online Harms, there will be an argument that social media companies have a special duty of care to protect vulnerable groups. This is nothing more than window-dressing. If there were a special duty of care to protect social media users, it would require stronger security and privacy protections – not weaker ones. End-to-end encryption can provide those protections, and governments should encourage platforms to protect their users, not make them more vulnerable.

True duty of care needs strong encryption.

Governments argue against social media companies applying end-to-end encryption by saying law enforcement  should be able to monitor some forms of communication in order to protect vulnerable groups. However, experts, including those from the cybersecurity community, agree that there is no way to facilitate access to encrypted communications for some without weakening the security of everyone on the service. Any method that would allow law enforcement or a service provider to gain access to encrypted content can be found and exploited by criminals or other bad actors – leaving all users at greater risk. That is why technology companies are adding end-to-end encryption to their services.

For journalists, whistleblowers, domestic violence victims, the LGBTQ+ community, and many other people belonging to high-risk communities, end-to-end encrypted communications play a crucial role in ensuring their personal safety. This is especially true now, when communications are forced online by restrictions due to COVID-19. For these communities, confidential communication can be a life or death situation. But it’s not just about high-risk communities. All users benefit from the added security provided by end-to-end encryption. For instance, strong encryption makes it harder for would be scammers, blackmailers, and other criminals to access communications and information that would make their attacks far more effective.

Governments have a duty of care towards all of us, whether we are from a vulnerable community or not. It is part of their social and political responsibility. In exercising that care, governments should not pursue policies that would undermine the deployment and use of end-to-end encryption in social media or other online services. Instead, they should encourage its adoption.

After the Cambridge Analytica scandal laid Facebook’s data collection practices bare, many became aware of the desire by some of the tech giants to mine and sell our data. Governments, including the UK and the US, condemned the scandal and parliamentary and congressional investigations took place. Well implemented end-to-end encryption would prevent Facebook from collecting the contents of Facebook messages to sell to third parties, helping to lessen some of the targeted disinformation campaigns facing democracies worldwide. If no one but the users themselves can access their own data, Facebook doesn’t have a chance to sell that data either. As the Internet Society and over 100 civil society organizations stated in an open letter last year to Facebook, “ensuring default end-to-end security will provide a substantial boon to worldwide communications freedom, to public safety, and to democratic values.”

As the Five Eyes continue to discuss duty of care legislation for online platforms, support for end-to-end encryption must be at the forefront. This is their true duty of care.

Join a global movement of people working to make sure governments don’t take away our strongest digital tools to keep ourselves and our children safe online. Become an Internet Society member today.


Image by Meghan Schiereck via Unsplash

Categories
Encryption Strengthening the Internet

Announcing the Launch of the Global Encryption Coalition

Today, more than 30 civil society organizations joined in launching the Global Encryption Coalition, to promote and defend encryption in key countries and multilateral gatherings where it is under threat. The new coalition is led by a Steering Committee consisting of the Center for Democracy & Technology (CDT), the Internet Society, and Global Partners Digital.

“The spread of COVID-19 has underlined the necessity of secure, private internet communications. Those who are fortunate enough to have strong internet connections are likely sharing increasing amounts of sensitive data online. At the same time, governments around the world are considering policies that put the security of that data at risk,” said Greg Nojeim, CDT’s Senior Counsel and Director of the Freedom, Security and Technology Project. “Encryption enables people to have private and secure digital lives.”

Working together with a membership that will quickly grow to include companies and technologists, CDT and the Coalition will help activists on the ground in key countries where it is under threat, like Canada, Australia, India, and Brazil, beat back proposals that would weaken encryption. “The Coalition will alert technologists to encryption threats around the world, and create mechanisms through which they can deliver expert analysis to mitigate those threats,” said Mallory Knodel, Chief Technology Officer of CDT.

“CDT is excited to have this opportunity to deliver expert analysis, global engagement, and a megaphone to support local efforts to protect encryption,” Nojeim added.

“The Internet Society is thrilled to be joining forces with the Center for Democracy and Technology and Global Partners Digital to form the Global Encryption Coalition,” said Jeff Wilbur, Senior Director of Online Trust at the Internet Society. “With a global health pandemic driving more of our daily activities and communications online, encryption is more important than ever to help keep people and countries secure. We look forward to working with a global movement of coalition members focused on promoting and defending the use of strong encryption policies and practices worldwide.“

We’re launching the Global Encryption Coalition with a series of free webinars on May 14 in five places around the globe. The events demonstrate how encryption helps people face the challenges that the current global health crisis has created.

Steering Committee Members
Center for Democracy and Technology
Internet Society
Global Partners Digital

Members (See full list of members.)
American Civil Liberties Union
ARTICLE 19
Association for Progressive Communications (APC)
Canadian Civil Liberties Association
CETYS
Citizen Lab, Munk School of Global Affairs & Public Affairs
Coalizão Direitos na Rede
Coding Rights
Committee to Protect Journalists
DataPrivacy.br
Derechos Digitales
Digital Empowerment Foundation
Digital Rights Watch
Electronic Frontier Foundation
Fundación Karisma
Hiperderecho
The Institute for Technology & Society of Rio
Instituto Nupef
InternetNZ
Intervozes – Coletivo Brasil de Comunicação Social
IP.rec – Instituto de Pesquisa em Direito e Tecnologia do Recife
IRIS – Instituto de Referência em Internet e Sociedade
LGBT Technology Partnership & Institute
New America’s Open Technology Institute
Open Media
Open Rights Group
Paradigm Initiative
Prostasia Foundation
Red en Defensa de los Derechos Digitales
Small Media
SFLC.in
Software Freedom Law Center
Stiftung Neue Verantwortung
WITNESS

Categories
Encryption Strengthening the Internet

Encryption: The Digital PPE We All Need

In the midst of a global pandemic, Internet security can be a matter of life and death.

Think of how critical the Internet has been to address the COVID-19 public health crisis. It has allowed half the world fortunate enough to have access to stay on top of critical public health updates and stay in touch with loved ones at a safe distance. Some can even continue activities like distance education, work from home, and access vital telehealth services.

But what if it weren’t safe to do these things?  Would the world be as willing to follow social isolation measures?

Encryption keeps billions of people and countries secure online every day. It protects the integrity of news online, keeps your banking information out of the hands of criminals, and allows communications over messaging and videoconference platforms to stay confidential.

That’s a good thing. With people spending more time online than ever, cyber criminals are targeting the increasing amount of private data and commercially or government sensitive information traveling across the Internet. We’ve already seen proof in the corresponding rise in criminal activity over the last few months. The United States Federal Bureau of investigation, for instance, said cybercrime reports have quadrupled during COVID-19.

What’s even more frightening? Several governments worldwide are trying to undermine the encryption technologies that help protect people, industries and countries against these crimes.

Every one of these attempts to weaken our digital security – often some form of backdoor access proposal to give third parties access to encrypted data – is a major concern. Action by one country to weaken encryption threatens us all.

With global public health efforts driving more of our daily activities online, it’s up to all of us to make sure governments enable us to use the PPE we need to protect our digital health.

That’s why the Internet Society is proud to join forces with the Center for Democracy and Technology and Global Partners Digital to form the steering committee of the Global Encryption Coalition.

Together with over 30 civil society members, we’ll grow this global movement to include organizations, technologists, and corporations around the world working to promote and defend strong encryption policies and industry practices in key countries where it is under threat.

You can help. To celebrate the official launch of the Global Encryption Coalition on 14 May 2020, we’re hosting a global webinar event, “Health, Encryption and COVID-19: Keeping people and countries safer online.” This event will feature five webinars across the globe exploring how encryption helps people and countries navigate a global health crisis, and how we can stop proposals that could undermine the digital and real-life health and security of people and countries everywhere.

We’re already taking precautions to protect our health we couldn’t have imagined a few months ago. Let’s make sure we can use the PPE we need to protect our digital health as well.

Find out how you can do your part! Register for the Health, Encryption and COVID-19 webinar series today.


Image by Noah Matteo via Unsplash

Categories
Encryption Strengthening the Internet

Now Is Not the Time to Put Everyone’s Security on the Line

This opinion piece was originally published in SC Magazine.

With social distancing the norm, we’re spending more time on the Internet doing more important things than ever – eg, working, learning, banking, trading, shopping, seeing the doctor and having family time – as well as streaming, gaming and interacting with our connected speakers.

Shouldn’t we be certain, especially now, that no one is eavesdropping, stealing or modifying our data?

Encryption is the primary means of accomplishing that goal. Using encryption, data is scrambled so that only the intended people can see the data. It’s right there under the covers most of the time when you’re on Wi-Fi, Bluetooth, 4G and browsing most websites.

Unfortunately, most online services today still do encryption in a piecemeal manner. Sections along the path are encrypted, but typically there are points along the way where the data is unencrypted and processed in some way before being re-encrypted and sent along.

The good news is that many messaging services – eg, WhatsApp, Telegram and Signal – offer end-to-end encryption, where only the sender and intended recipient can “see” the message. Everyone else along the path – even the company providing the service – can’t see inside. The more this happens, the better our data is protected.

But, consumers’ data protection is nonetheless being threatened, mostly by governments who want access to the data for law enforcement or intelligence purposes, but also by businesses that want to monetise their data. The request goes something like this: “We strongly believe in encryption to safeguard everyone’s data. Hey, we even rely on it in the government. And we don’t want any backdoors that would let criminals break in. We just need to see the data of specific individuals using your service. And we’ll only ask for it when there’s a serious crime involved and we have a warrant.”

Creating a dangerous master password

At first glance, this seems like a reasonable request. It’s only the data of one individual, there’s a good reason to want it, and the request comes with proper authority. And who doesn’t want to stop horrific crimes or to catch their perpetrators? But, this is what goes unsaid – the mechanism to provide access for any one individual’s data on that service puts everyone on that service at risk. It’s like creating a master password for the entire system. Sure, that password will be long and complex and nearly impossible to guess and only a few people will have access to it, and it will only be used in the most extreme circumstances.

But do you want this master password to exist? People at the company could abuse it, and governments could also abuse it; but even if you trust their intentions, look at their data security track record over the last few years – tens of thousands of data breaches involving billions of records (and by the way, why weren’t those databases better encrypted, which would have protected individuals’ personal data from being exposed?). Or even more importantly, do you trust that bad guys across the globe won’t figure out or find or steal that master password? If they do, all bets are off for everyone on the service. If users can’t trust that their communications are adequately protected, they will limit their use of the Internet.

Debates on this topic are happening across the globe.

Most arguments for this so-called “exceptional access” revolve around child exploitation and terrorism or other serious crimes. For instance, in the US the EARN IT Act, which was introduced to the US Congress in March doesn’t even mention encryption – it just implies that companies providing the services we all count on need to provide access to the pertinent data in an unencrypted form or face fines and prosecution. Yet, these are the same services that protect vulnerable communities like domestic abuse victims, journalists, and activists right alongside our families, military and law enforcement.

What you can do

Curbing criminal activity is an important task, but we can’t do so by weakening the security of virtually everyone online. Make sure your MP protects your right to strong encryption. Be aware of the variety of dangerous approaches governments are taking to get access to the data they want. They range from scanning unencrypted data at the sending or receiving end, forcing decryption somewhere along the path, to even tapping into the flow as a silent third party. All of these approaches represent mechanisms that jeopardise security by breaking the concept of end-to-end protection.

Let’s all join together to protect encryption. Let’s fight for our right to keep our communications secure. While governments may insist that they are sacrificing one person’s security for the greater good, in reality they are forcing the sacrifice of security for us all.

Take these six actions to protect encryption and protect yourself.

Categories
Encryption Strengthening the Internet

Kids Need Encryption Too

With most of the world on lockdown, children are likely spending more time than ever online. Between virtual classrooms and keeping up with friends on social media, many kids are depending on the Internet to maintain a semblance of normal life amidst the global health crisis.

While parents may worry about how this might affect their children’s well-being, experts have warned that the surge in screen time could also expose kids to safety risks online more often.

In Asia-Pacific, a recent UNICEF report found that 32% of children between 10 to 17 years old in Bangladesh have faced cyberbullying, violence, and harassment online. Meanwhile, a McAfee study in India found that 70% of youngsters have posted their personal details on the Internet, making them an easy target for cybercriminals.

Earlier this month, the Internet Society ran a short webinar, Kids, the Internet and COVID-19, to show parents how they can protect their kids’ privacy and security online through encryption.

Encryption is a way of ‘scrambling’ information to make it unreadable to malicious actors who might want to access it, and works much like the codes that we used as children to send secret messages to each other – but better. Encryption protects our emails, our online messages, and even our bank details – a critical safeguard as cyber attacks grow amidst the pandemic.

One of the most important things a parent can do to keep their kids secure is to choose only messaging apps that are end-to-end encrypted, such as Signal, WhatsApp, and Telegram. They should also only visit websites that show a lock icon by the URL, which tells you that the page, and the information you send and receive, have been encrypted. It’s just as crucial to teach kids to set long and strong passwords – this can be sentences that combine letters, numbers, and symbols, for their online accounts and their devices.

Three years ago, 90% of young people surveyed by UNESCO felt they should be given the right tools to protect themselves on the Internet. And yet, some governments are threatening to take away one of their strongest tools to do so.

As we raise the next generation of able and responsible netizens, let’s make sure kids can keep using encryption as a protective shield to keep themselves safe and secure online.

If you would like more tips on how to keep children safe online amidst COVID-19, please watch our webinar, now available on our Facebook and YouTube channels.

Want to join a global movement of people working to make sure governments don’t take away our strongest digital tools to keep ourselves and our children safe online? Become an Internet Society member today.

Categories
Encryption Internet Governance Strengthening the Internet

Disinformation: The Invisible Sword Dividing Society

Supermarkets have finally restocked their toilet paper in Hong Kong after weeks of panic buying when a rumor about toilet paper shortage due to closure of factories in China went viral. The toilet paper shortage did happen, but it was because of panic buying, not because of factory closure in China. How did the rumor spread? Was disinformation one of the culprits?

On February 25th, the Internet Society Hong Kong Chapter organized a Hong Kong Internet Governance Forum Roundtable on disinformation. On the panel was Eric Wishart, News Management Member at Agence France-Presse (AFP); Masato Kajimoto from the Journalism and Media Studies Centre of the University of Hong Kong; George Chen, Head of Public Policy (Hong Kong, Taiwan and Mongolia) at Facebook; and Charles Mok, a local Legislative Councillor.

Did someone spread “disinformation” about toilet paper shortage?

While a lot of people think that the rumor on toilet paper shortage is a piece of disinformation or fake news, Masato reminded us that it actually is not. Disinformation is information that is deliberately created to deceive people, which is different from “misleading information.” In the case of panic buying toilet paper, some people made an opinion about toilet paper production in light of factory closure – that is, the shortage would logically happen if factories could not operate.

Masato didn’t care much about the rumor when he first read about it in the morning. But by the same afternoon, all the toilet paper was sold out. He did not expect this to happen as he thought it was just a prediction someone made and spread online. Journalists reported on this widely by emphasizing the empty shelves in supermarkets, which led to more panic buying, and this was how the rumor spread.

The trap for journalists in reporting

Journalist followed and reinforced the narratives of the rumor with the headline: “Empty Shelves in Supermarkets.” Eric pointed out that this is a big trap for journalists. It is easy for journalists to selectively choose stories that fit into certain narratives and ignore the facts, which Eric refers to as “confirmation bias.” This is where a critical mind needs to come in, and journalists should avoid falling into this trap of following narratives.

What measures have news agencies taken to combat fake news?

In consuming news information, we should choose our sources carefully, and news agencies are one of the main sources. Eric shared the ways in which AFP has built its credibility. He stressed the importance of gaining public trust through transparency of editorial procedures and efforts of fact-checking in partnership with other organizations. For example, AFP has set up editorial standards and best practices, as well as principles of sourcing. AFP has also joined the International Fact-Checking Network and is an independent fact-checker for Facebook. These efforts have built AFP’s credibility, which AFP can utilize in the battle against disinformation.

What is the role of social media in combating fake news?

Another major source for news information is through social media platforms. George shared that Facebook partners with independent third-party fact-checkers like AFP to help them identify certain types of misinformation for removal, especially when the information violates their community standards. Repeated offenders will also have their account or page taken down. Another measure is to reduce the spread of misinformation in news feeds. When a piece of fake news is flagged, there will be a note under the post saying this is a misinformation verified by the fact-checker.

Is legislation a way out?

Although different sectors have contributed to the battle against fake news, we are still seeing its viral spread. Some legislative councillors in Hong Kong have thus proposed a fake news law in Hong Kong. However, Charles expressed his grave concern about such law. Charles pointed out that a fake news law can only function effectively when there are checks and balances in the government. But there has been an increasing number of requests made by the Hong Kong government to social media companies to remove certain content, and the Hong Kong Police Force has accused social media of damaging their reputation. Charles worried that a fake news law would be abused to suppress freedom of speech in Hong Kong.

Let’s face it: the weaponized fake news

We have discussed ways of combating fake news from different angles, but they cannot stop disinformation if people don’t distinguish between facts and opinions. Education is a major effort that the government, as well as different stakeholders, should push for.

Fake news is unfortunately an outcome of social and political conflicts, stemming from the huge pluralization in Hong Kong. A lot of the “fake news problems” we have witnessed in Hong Kong – posts about Joshua Wong’s U.S. green card, police pepper spraying a stray dog, etc. – were used to shape the information into narratives that favor certain sides of the political spectrum. In this regard, they are propaganda and therefore, political problems. Sadly, not much of the measures described above can help with these problems.

Watch the recorded live stream of the roundtable.

Encryption is essential for protecting freedom of expression and privacy. Read the fact sheet: How Encryption Can Protect Journalists and the Free Press.

Categories
Encryption Strengthening the Internet

Encryption Helps America Work Safely – And That Goes for Congress, Too

This opinion piece was originally published in The Hill.

Over the past month, Americans across the country have adapted to a new reality of life, which includes social distancing to curb the spread of COVID-19. For those fortunate enough to be able to do so, that means learning to work, attend educational classes and socialize from afar using the Internet. For a huge number of Americans, social distancing means little to no work – and even greater uncertainty. Businesses, schools and government entities everywhere are asking the same question, “can we perform our work online and, just as importantly, can it be done securely?” 

As Congress acts to respond to COVID-19, it faces a similar challenge. With some Congressional members and staff testing positive for COVID-19, and others choosing to self-isolate, lawmakers are exploring whether they can perform the most critical aspects of their office remotely – deliberation and voting. For Congress to be able to vote remotely on legislation, measures to ensure the integrity of these communications is critical. If even one vote is changed or blocked by a criminal or foreign adversary, the legitimacy of congressional decisions, and thus Congress as a whole, will be called into question. Any digital voting solution would need to rely on strong encryption to be secure.

Encryption is a critical tool to provide confidentiality and integrity to digital communications. Encryption enables much of the flexibility needed for staff to work from home securely during social distancing. End-to-end encrypted messaging like WhatsApp, Signal or iMessage, and voice or video calls allow staff to discuss sensitive topics without fear of eavesdroppers. Encryption also secures everyday digital activities like payroll, human resource management, and file sharing. For Congress to legislate effectively while staying healthy during this pandemic, the security provided by encryption will be key. When reaching across the aisle, especially necessary in times of crises, staffers and legislators must be assured that politically sensitive discussions remain confidential – even when those conversations happen over the Internet. And while congressional votes are public information, a remote voting system must ensure that congressional members’ votes aren’t tampered with, and in case they are, make it clear that tampering has occurred.

A new bill introduced by Judiciary Committee Chairman Sen. Lindsey Graham and Sens. Richard Blumenthal and Dianne Feinstein, puts the security provided by encryption under threat, and therefore, weakens the country’s ability to work, learn and govern while we aren’t able to conduct business as usual. This bill, called the “EARN IT Act of 2020,” would make changes to Internet intermediary liability rules in the United States and could force companies to modify their services for law enforcement to gain access to encrypted user content for various services – or become liable for the actions of all their users. But the consensus among cybersecurity experts is clear: there is no way to provide exceptional access to encrypted communications for law enforcement without making all of its users more vulnerable. Any way for law enforcement to get in could be found by criminals or foreign adversaries, and used for their own purposes.  

As the country faces an unprecedented challenge, we all must be practical, flexible and energetic. We need to ensure Americans have the tools they need to successfully do their job remotely and securely, especially if that job is a member of Congress – that means not passing legislation that can undermine strong encryption practices.

Take these six actions to protect encryption and protect yourself.


Image by Simon Abrams via Unsplash