(New York) – Human Rights Watch released an interactive online game today to help people understand how important strong encryption is to everyone’s security in the digital age. The interactive feature, “Everyday Encryption,” shows how encryption protects people in their daily lives.
Technology companies and nongovernmental groups rely on encryption to secure sensitive data from malicious actors. At the same time, governments contend that encryption will limit their surveillance capabilities, saying that they are “going dark” in their ability to investigate crime and monitor potential terrorist threats. On December 6, 2018, the Australian parliament rushed to pass the Assistance and Access Bill to enable access to encrypted data. However, cybersecurity experts warn that this would weaken the security measures people rely on every day, in Australia and worldwide.
“Encryption helps shield our online transactions, personal data, intimate photos, and sensitive communications from prying eyes,” said Cynthia Wong, senior internet researcher at Human Rights Watch. “But how these technical defenses work is sometimes opaque, so we hope people who play the game will learn more about how important encryption is to their safety.”
It is a choose-your-own-adventure style game where the player is asked to guide a character in making choices about how they communicate or manage their data. The game takes around 15 minutes to play and directs users to further resources on digital security and the policy debate on encryption.
Encryption scrambles data so that it is only readable by those who have the “key” to decode it. Financial institutions, online file storage services, phone and laptop makers, and other companies regularly use encryption to secure people’s personal data from cybercriminals and identity thieves. Websites increasingly support encryption, like Hyper Text Transfer Protocol Secure (HTTPS), to help shield people’s browsing habits from government agencies and others who may monitor their networks. And apps like WhatsApp, Signal, and iMessage encrypt chat messages end-to-end, in which the app provider doesn’t retain encryption keys and cannot read messages sent by users.
The interactive game, designed by Human Rights Watch’s 2017-2018 Ford-Mozilla open web fellow Rebecca Ricks, shows how encryption protects people in their daily lives – when they are surfing the web on a coffee shop’s Wi-Fi, for example – and what may happen if encryption built into devices or software is deliberately weakened. The game also demonstrates how encryption helps protect people who often find themselves under disproportionate scrutiny, such as activists, communities of color, or domestic violence survivors seeking safety from abusers.
Officials in several countries have begun demanding that companies like Apple, WhatsApp, and Telegram build intentional security weaknesses, known as “backdoors,” into their services to allow security agencies to get encrypted data. But this approach would weaken encryption for everyone and make people less safe.
In September 2018, law enforcement officials from the Five Eyes intelligence alliance – a group that includes Australia, Canada, New Zealand, the United Kingdom, and the United States – warned that if companies don’t voluntarily facilitate access to encrypted data, the countries “may pursue technological, enforcement, legislation or other measures” to force them to do so.
Australia’s sweeping new law will allow security agencies to order technology firms to take vaguely described actions to enable access to encrypted data, without adequate judicial oversight and other critical safeguards.
The broadly drafted powers could, for example, enable authorities to force Apple and WhatsApp to send users fake software updates that would break encryption, secretly add third parties to users’ chats, or turn phones or smart speakers into live listening devices.
Australia’s law is modelled on the UK’s Investigatory Powers Act, which similarly requires companies to potentially introduce intentional security vulnerabilities into encryption. In the US, law enforcement officials continue to call for anti-encryption legislation, even though they have been criticized for overstating the problem encryption poses to investigations. The Federal Bureau of Investigation had earlier tried to force Apple to override security measures built into iPhones to defeat encryption that protects user data. Authorities were investigating the perpetrators of the 2015 attack in San Bernardino, California, but eventually withdrew the court order because they were able to access the phone data without Apple’s help through a third-party contractor.
In April, Russia’s state media and communications watchdog, Roskomnadzor, obtained a court ruling to block Telegram for the company’s failure to provide encryption keys to the Federal Security Service under counterterrorism legislation passed in 2016. Roskomnadzor then blocked millions of Internet Protocol addresses in an attempt to cut off access to Telegram inside the country, broadly disrupting access to unrelated websites and services. Iran also blocked Telegram in May and China has similarly passed a cybersecurity law that, if interpreted broadly, could require companies to install backdoors or refrain from using end-to-end encryption. In April 2017, the Chinese government released a Draft Encryption Law that, if passed, could harden backdoor requirements and restrict use of encryption to only pre-approved domestic products.
Government efforts to weaken encryption will endanger people and undermine rights. Where software makers do not retain encryption keys, the nearly universal view among cybersecurity experts is that it is impossible to build a backdoor for one government that wouldn’t leave all users exposed to people who would try to uncover that vulnerability for malicious purposes.
Repressive governments could exploit backdoors to identify “troublemakers” and throw them in jail, and cybercriminals seek them out to steal data for identity theft and credit card fraud. Even former Five Eyes intelligence officials and Europol have warned that undermining encryption for one purpose may have serious and widespread consequences that weaken cybersecurity overall.
“The debate over backdoors isn’t about privacy versus security, but rather inadequate security versus basic security for everyone,” Wong said. “With Australia and others passing laws that gut encryption in the technology we use every day, the public has a right to know just how much that will put our safety at risk, online and off.”