Privacy and Protection: A children’s rights approach to encryption

 

A new report, co-published by CRIN and defenddigitalme, aims to capture the full complexity of how encryption affects children’s lives. It sets out principles for an approach to encryption that recognises and respects the full range of their rights.

 
two navy heads facing opposite directions with faded pastel lines in the background
 

Encryption is everywhere, for children as for adults. It plays an essential role in securing communications throughout children’s lives, from everyday visits to websites to using health services. 

A debate is currently underway regarding encryption and public safety, with a focus on the fight against online child sexual exploitation and abuse. This discussion is often experienced as a divide between a child protection approach and a civil liberties focus. This report, co-published by CRIN and defenddigitalme, is a response to this divide, based on a recognition of the full complexity of how encryption affects children’s lives. Its aim is to set out principles for an approach to encryption that recognises and respects the full range of their rights. 

 
 

How did we get here?

The development of encryption, and the debates that surround it, have a long history and are intertwined with the technological developments of the past 50 years. The report begins by placing this debate in its historical context, from the “crypto-wars” since the 1970s to the challenges of today, and explores the relevant technology, including tools used to identify online child sexual abuse material. We aim to be clear about the uses, functions, benefits, costs and compromises of this technology, so that its role and impact on children’s rights can be assessed.

 
 

Moving beyond polarisation

"Despite the common narrative of polarisation in discussions about encryption, we found there is much more that unites those involved than divides them. The most striking difference is the understanding of the limitations of what technology can deliver today on the part of technologists and digital rights advocates, compared with the high hopes of many child protection specialists."

~ Jen Persson, Director of defenddigitalme 

Current discussions on encryption involve a range of actors, from policy-makers and law enforcement, to civil society, academia, social media, and established industry bodies and businesses, as well as emerging companies in the child safety market. Many different perspectives are involved, from child protection, privacy and data protection, to technology, Internet regulation, and politics. Moving beyond the current divides requires an understanding of the various approaches and priorities of those working in this space.

Interviews, questionnaires, and conversations with these professionals were at the heart of our research. Building on these, the report represents and examines a variety of perspectives on topics ranging from the pressing need to address online child sexual abuse and to include survivors’ voices, to the role, possibilities and limitations of technology and regulation, as well as the call to think beyond the dominant Anglo- and Euro-centric approaches. The report identifies frictions and faultlines but also where there is space for consensus, with the aim of improving the transparency of the discussion, agreeing on what is already settled, and moving the conversation forward.

Children’s rights are on all sides of the discourse

The polarisation of “privacy versus protection” masks a complex picture. Encryption engages nearly all of children’s rights from a wide variety of angles. Applications of encryption can protect or expose children to violence, promote or undermine their privacy, encourage or chill their expression. 

The report explores how encryption affects the full spectrum of children’s rights, treating the UN Convention on the Rights of the Child as an agreed international foundation. It examines how the Convention applies to children who are affected by or use technology that involves encryption by setting out both the benefits and the risks that encryption may pose to the realisation of children’s rights. 

The report also argues that a children’s rights approach to the debate must recognise that children are a diverse group and the impact of encryption can vary significantly depending on their backgrounds, needs and identities. Children can be affected by encryption in both public and private settings and in a variety of contexts, including where they belong to disadvantaged or marginalised groups. The report therefore suggests scenarios to open up the discussion beyond the paradigm of privacy versus protection, giving examples of the breadth and complexity of ethical, legal and practical issues at stake.

“The debate about encryption cannot be a question of privacy versus protection - children have a right to both. The challenge lies in how to secure the full range of children’s rights in this space, both in terms of how the debate is held and the outcomes we want to achieve.”

~ Leo Ratledge, Co-Director of CRIN

What would a children’s rights approach to encryption look like?

Applying children’s rights to the terms of the current debate, Privacy and Protection sets out ten principles for a children’s rights approach to encryption. 

The approach to the issue is important as well as the outcome, so the first five of these principles address how the issue should be framed and deal with questions of process. We argue that:

  • Actions affecting the digital environment must respect the full range of children’s rights, from protection from violence to privacy and freedom of expression.

  • No single law, policy or technology can protect children online or secure their human rights more broadly. Interventions engaging encryption must be seen within a wider ecosystem with many actors.

  • All those with relevant expertise must be involved in discussions and decision-making regarding children and the digital environment, including on encryption. 

  • Children and other directly affected communities, for example survivors of child sexual abuse or those disproportionately affected by intrusive data practices, must be heard and their views given due weight.

  • The digital environment is interconnected and regulation in one jurisdiction is very likely to cause ripple effects in others, therefore policy-makers engaging with encryption must address the impact beyond their own jurisdiction.

 
 

The latter five principles deal with the substance of policy-making around encryption. We argue that: 

  • There should be no generalised ban on encryption for children.

  • Interventions engaging encryption must consider and address specific political, economic, social and cultural contexts. 

  • Restrictions on qualified children’s rights such as privacy must be necessary and proportionate. They should be sufficiently clear and precise, limited to achieving a legitimate goal and the least intrusive way of doing so.

  • Policy-making should address the role of business, including by requiring more transparency around how platforms prevent and remedy violations of children’s rights.

  • Children must have access to justice for all violations of their full range of rights in the digital environment, including where encryption is engaged.

Moving the debate forward

We are at a point where policy-making will shape how children engage with the digital environment for decades to come. It is essential that discussions and interventions related to encryption are grounded in the full range of expertise in technology and the law, and that they respect all children’s rights. 

We hope that this report contributes to a better understanding of the terms of the debate and how the use of encryption engages children’s rights, and that the principles provide a useful framework for richer and more transparent discussions that value both privacy and protection.


This report is produced for a joint project between CRIN and defenddigitalme exploring a children’s rights approach to encryption

Sign up to our newsletter to stay updated and follow the project on Twitter, LinkedIn and Instagram at #PrivacyAndProtection