Independent Assessment: Expanding End-to-End Encryption Protects Fundamental Human Rights
Today, we’re publishing the findings and recommendations of an independent human rights impact assessment (HRIA) on our plans to expand end-to-end encryption (E2EE). The assessment was conducted by Business for Social Responsibility (BSR) in line with the UN Guiding Principles on Business and Human Rights and Meta’s Corporate Human Rights Policy.¹ We are taking the exceptional step to publish this HRIA in full as a standalone product because we believe it represents a groundbreaking contribution to the ongoing conversation on implementing E2EE while meaningfully advancing the field of human rights.
Privacy is a fundamental human right. End-to-end encryption is a widely-used technology that protects the privacy and many other human rights of billions of people every day. E2EE keeps people and their personal communications safe from hackers, criminals and authoritarian regimes. That’s why in 2016 we implemented this technology by default on WhatsApp and as an option on Messenger, and in March 2019 we announced plans to extend this protection by default across our messaging apps.
Since then, we’ve witnessed a global pandemic push more of our lives online, leading to an increased threat of cybercrime and invasion of people’s private communications. At the same time, the threat of authoritarianism is on the rise. That’s why, following Russia’s invasion of Ukraine, we accelerated the deployment of E2EE options on Instagram and promoted our disappearing messaging features on Messenger so that people in the affected countries would have more secure communication. Safe and secure messaging is more important than ever.
Assessment: Expanding E2EE Supports Human Rights, Adverse Impacts Can Be Addressed
This comprehensive rights-based analysis of implementing E2EE is the first of its kind. By analyzing encryption across all rights recognized in the Universal Declaration of Human Rights and a range of other human rights instruments, the HRIA expands existing rights-based analyses and underscores why encryption is important today and in the future.
The report found that:
- Expanding E2EE protects a diverse range of human rights: The report clearly acknowledges the positive human rights impacts of end-to-end encryption. Expanding E2EE will enable people to realize a range of human rights and will address many human rights risks associated with the absence of end-to-end encryption on messaging platforms today. This includes increased realization of privacy, freedom of expression, protection against cybercrime threats, physical safety, freedom of belief and religious practices and freedom from state-sponsored surveillance and espionage. To this end, BSR recommends we proactively advocate in favor of end-to-end encryption and defend against any government’s efforts to undermine it.
- Adverse impacts should be addressed without undermining E2EE: The report found that many of the adverse impacts are system-wide and whole-of-society issues often independent of E2EE, and most occur as a result of individuals or entities using E2EE messaging to harm the human rights of others. The recommendations encourage us to look at marginalized communities around the world, who may benefit the most from end-to-end encryption and are often disproportionately affected by positive and adverse impacts. Rather than prioritizing rights or offsetting one right for another, we’re advised to identify feasible, effective solutions that would address adverse impacts to maximize all rights.
- Our approach to integrity and safety should continue to be implemented: For example, the report looked at the challenge of child sexual abuse material (CSAM) and child exploitation. BSR recommended we continue to invest in effective harm prevention strategies such as metadata and behavioral analysis, user education and robust user reporting, among other tools. BSR also concludes that deployment of client-side scanning technologies as they exist today should not be pursued, as doing so would undermine the integrity of E2EE and disproportionately restrict people’s privacy and a range of other human rights. Instead, the report recommended we continue to investigate potential future technologies and subject them to further human rights due diligence.
Implementing the Recommendations
BSR’s recommendations are designed to help us maximize the positive human rights impacts of E2EE, while mitigating potential adverse impacts. The report includes 45 recommendations broken down into four sections: product, process, product policy and public policy. Our response details our commitment to implementing 34 of the recommendations, partly implementing four, assessing the feasibility of another six and taking no further action on one. We’re committed to implementing the vast majority of the recommendations and working diligently towards our plans for expanding E2EE as a means to help protect people and support their human rights. We’ve already made progress on many of the recommendations, but our work in this area is never done.
Over the years we’ve invested billions of dollars, hired thousands of people and collaborated with experts around the world to help keep people safe without compromising their sensitive and personal information. The recommendations will help guide our approach to safer private messaging for Messenger and Instagram DMs as we implement E2EE by default on these messaging apps: helping to prevent abuse and to safeguard people’s privacy, giving people controls to help them stay safe and not reading people’s personal messages unless they report them to us.
To monitor for harmful or illegal content, many messaging platforms — including Messenger and Instagram DMs — have historically relied on the ability to proactively access people’s messages. With end-to-end encryption, however, only the sender and recipient can access the content of those messages. Scanning technologies that seek to proactively access message content, whether on a person’s device or otherwise, without the person’s consent and control could be abused by criminals, hackers or authoritarian regimes, putting people’s safety at risk. While other reasonable mitigations can and should be enacted, we do not believe such approaches, often called “client-side scanning,” can be developed and implemented in a manner that is rights-respecting, nor can such technologies meet the expectations people have of end-to-end encrypted messaging services.
Our Progress and Collaboration
As we make these major enhancements to our messaging apps, we want to be thoughtful in our approach, comply with our human rights policy and evaluate how our decisions can help respect and support human rights. While we expect to make significant progress this year, implementing E2EE on Messenger and Instagram messaging continues to be a long-term project and we’re taking our time to get this right.
The report emphasizes the need for collaboration across industry, academia, civil society and government to implement end-to-end encryption in a deliberate way that’s consistent with our commitment to people’s privacy, safety and security. We will continue engaging with these partners in promoting the vital human rights end-to-end encryption protects, while remaining mindful of the need to help safeguard all human rights.
1. This assessment was conducted by BSR from 2019-2021 using methodologies based upon the UN Guiding Principles on Business and Human Rights (UNGPs), including a consideration of the various human rights principles, standards, and methodologies upon which the UNGPs were built. BSR engaged with a diverse range of rights holders and stakeholders when undertaking this assessment and supplemented the stakeholder inputs with their own insights into the human rights concerns of rights holders and stakeholders gathered in a variety of contexts, including previous HRIAs undertaken for Meta.