Encryption dilemma: Will security win over privacy concerns?

Every other week Kenyans are treated to leaked screenshots of explicit messages or compromising photos and videos. Correspondences between former business partners are also common on social media platforms, usually meant to shame or extort the victims.

Over time, to avoid falling victims, more and more people have turned to encrypted platforms to keep their sensitive information and trade secrets away from cyber-criminals prowling the internet. Messaging apps like WhatsApp, Telegram and Signal have become favoured for day to day communication for their ability to secure data in transit between the sender and receiver through encryption.

Basically, encryption refers to a process in which information or data from the sender to receiver is converted into a code to prevent unauthorised access.

Encryption has been a vital tool of safeguarding the dignity of social media users, but concerns are rife that it is a double edged sword, one that threatens both individual and national security.

One greater concern are platforms like Wickr, Surespot, Wire, Silence, Pryvate Now and CoverMe that are heavily encrypted, making them fertile grounds for criminals seeking to groom innocent adults and children into criminal activities and for terrorists to plan attacks without detection.

In the United States for example, authorities singled out Signal as being widely downloaded by demonstrators and planners seeking to avoid censorship. In the #Blacklivesmatter protests for instance, they share information of the locations and time that they take place in over 50 states.

Locally, the concern is that as the country heads into the heated 2022 general elections , the encrypted social media platforms are already being used to sow hate and division across the country.

This week, the United Kingdom, US, Australia, India and Japan jointly with the WePROTECT Global Alliance which seeks to stop online sexual abuse and exploitation, The United Stated National Centre for Missing and Exploited Children (NCMEC) and a coalition of more than 100 child protection organisations called for action to ensure that measures put in place to increase privacy in communication including end-to-end encryption do not come at the expense of national security and children’s safety.

In a statement released by the US Department of Justice, they argued that the encryption craze prohibits technology companies’ own abilities to identify and respond to violations of their terms of service including child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning.

Pervasive abuse

They also argued that it denies law enforcement agencies access to content in those limited circumstances that are necessary to investigate serious crimes and protect national security where there is lawful authority to do so.

Their concern about the investigatory hurdles presented by encryption appear founded given that the United Nations Children’s Fund (Unicef) estimates that one in every three internet users is a child. WePROTECT’s global threat assessment last year confirmed that publicly accessible social media and communications platforms remain the most common methods for meeting and grooming children online.

That Facebook Messenger was in 2018 reported as being responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, underscores the pervasiveness of the abuse.

“These reports risk disappearing if end-to-end encryption is implemented by default, since current tools used to detect child sexual abuse do not work in end-to- end encrypted environments,” the statement warned.

A December 2019 joint statement by the US and the European Union made it clear that while encryption is important for protecting cyber security and privacy, the use of warrant-proof encryption by terrorists and other criminals including those who engage in online child sexual exploitation compromises the ability of law enforcement agencies to protect victims and the public at large.

“In light of these threats, there is increasing consensus across governments and international institutions that action must be taken. While encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online,” added the statement.

Developed countries have already started taking steps to have some semblance of control. Last year, tech companies in the UK, US, Australia and Canada were instructed to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format.

Closer home, the East Africa Police Chiefs Cooperation Organization (EAPCCO)’s member states in their meeting last month held that there exists a large number of Facebook, Instagram and WhatsApp subscribers in the region some of whom who use the channels to propagate and commit crimes that include terrorism.

The council of police chiefs, however noted that there exists a legal and jurisdictional challenge that law enforcement agencies encounter in the course of investigations since these platforms ate domiciled and registered in foreign jurisdictions.

To address this challenge therefore, the council resolved to work closely with Interpol and Facebook through their national points of contacts to investigate and combat all forms of online crimes to ensure user safety in the cyber space.

Conflicting interest

They further resolved that member countries continue utilising the Interpol Terrorism Online Presence Unit to conduct open source investigations and analysis requests.

Cyber security experts in Kenya acknowledge the conundrum of end-to-end encryption. They argue that a balance should be found between the need to protect individual’s rights to privacy and the State’s need to enhance security surveillance.

Kenya Cyber Security Forensics Association’s vice chairman Fred Wahome said that investigators particularly find it harder to conduct forensics on an encrypted channel which makes the apps a great concern to the government.

“A normal call can be retried through the mobile service provider but an encrypted call or text is harder for the investigators to conduct forensic investigations. The Signal messenger is particularly very attractive because its users know that their communication details cannot be accessed or breached and especially iPhone users,” he added.

Mr Wahome reckoned that the citizenry will naturally want encryption because of its security even if they are not doing anything unlawful and therefore the State should not lean on decryption alone to smoke out criminals.

On Tuesday, President Uhuru Kenyatta nominated the Independent Electoral and Boundaries Commission (IEBC)’s Director for Voter Education, Partnership and Communication Ms Immaculate Kassait to be the country’s first Data Commissioner.

Once vetted and approved by parliament, the commissioner will be responsible for the enforcement of the Data Protection Act which stipulates how data is going to be handled and secured bearing in mind the privacy of the individuals.

“The act covers anyone who will be a data controller or processor including governments. The data commissioner will give guidance and clarity on how data should be handled by different parties including government, private organisations and institutions,” Mr Anthony Muiyuro, a cyber security expert told the Business Daily.