The company should encrypt user communication and private content so users can control who has access to it.
Elements:
- Does the company clearly disclose that the transmission of user communications is encrypted by default?
- Does the company clearly disclose that transmissions of user communications are encrypted using unique keys?
- Does the company clearly disclose that users can secure their private content using end-to-end encryption, or full-disk encryption (where applicable)?
- Does the company clearly disclose that end-to-end encryption, or full-disk encryption, is enabled by default?
Definitions:
Content — The information contained in wire, oral, or electronic communications (e.g., a conversation that takes place over the phone or face-to-face, the text written and transmitted in an SMS or email).
Encryption — This essentially hides the content of communications or files so only the intended recipient can view it. The process uses an algorithm to convert the message (plaintext) into a coded format (ciphertext) so that the message looks like a random series of characters to anyone who looks at it. Only someone who has the appropriate encryption key can decrypt the message, reversing the ciphertext back into plaintext. Data can be encrypted when it is stored and when it is in transmission.
For example, users can encrypt the data on their hard drive so that only the user with the encryption key can decipher the contents of the drive. Additionally, users can send an encrypted email message, which would prevent anyone from seeing the email contents while the message is moving through the network to reach the intended recipient. With encryption in transit (for example, when a website uses HTTPS), the communication between a user and a website is encrypted, so that outsiders, such as the user’s internet service provider, can only see the initial visit to the website, but not what the user communicates on that website, or the sub-pages that the user visits. For more information, see this resource: http://www.explainthatstuff.com/encryption.html.
End-to-end encryption — With end-to-end encryption, only the sender and receiver can read the content of the encrypted communications. Third parties, including the company, would not be able to decode the content.
Full-disk encryption — Comprehensive encryption of all data stored on a physical device, in such a way that only the user is able to access the content by providing the user-generated password(s) and/or other means of decryption (fingerprint, two-factor authentication code, physical token, etc.)
Indicator guidance: Encryption is an important tool for protecting freedom of expression and privacy. The UN Special Rapporteur on freedom of expression has stated unequivocally that encryption and anonymity are essential for the exercise and protection of human rights. We expect companies to clearly disclose that user communications are encrypted by default, that transmissions are protected by “perfect forward secrecy,” that users have an option to turn on end-to-end encryption, and whether it is enabled by default. For mobile ecosystems and personal digital assistant ecosystems, we expect companies to clearly disclose that they enable full-disk encryption.
Potential sources:
- Company terms of service or privacy policy
- Company security guide
- Company help center
- Company sustainability reports
- Official company blog and/or press releases
No Comments