P16. Encryption of user communication and private content (internet and mobile ecosystem companies)

The company should encrypt user communication and private content so users can control who has access to it.

Elements
  1. Does the company clearly disclose that the transmission of user communications is encrypted by default?
  2. Does the company clearly disclose that transmissions of user communications are encrypted using unique keys?
  3. Does the company clearly disclose that users can secure their private content using end-to-end encryption, or full-disk encryption (where applicable)?
  4. Does the company clearly disclose that end-to-end encryption, or full-disk encryption is enabled by default?
Research guidance

Encryption is an important tool for protecting freedom of expression and privacy. The UN Special Rapporteur on Freedom of Expression has stated unequivocally that encryption and anonymity are essential for the exercise and protection of human rights. We expect companies to clearly disclose that user communications are encrypted by default, that transmissions are protected by “perfect forward secrecy,” that users have an option users have to turn on end-to-end encryption, and if the company offers end-to-end encryption by default. For mobile ecosystems, we expect companies to clearly disclose that they enable full-disk encryption.

Potential sources:

  • Company terms of service or privacy policy
  • Company security guide
  • Company help center
  • Company sustainability reports
  • Official company blog and/or press releases