Nevada’s Attack on End-to-End Encryption is an Attack on Online Safety

Namrata Maheshwari is Senior Policy Counsel and Encryption Policy Lead at Access Now.

With potential repercussions for protecting privacy worldwide, Nevada’s attack on end-to-end encryption (E2EE) should concern us all. The state of Nevada’s Attorney General is seeking a court order restricting Meta from offering E2EE to minors using Facebook Messenger. This is, simply put, a bad idea. It is a textbook example of how good intentions, in isolation, can pave the way to bad outcomes that negatively impact civil liberties.

My organization, Access Now, joined a group of other civil society organizations, experts, and tech service providers in filing a friend-of-the-court brief to explain why removing E2EE from services such as Messenger will make children more vulnerable online, not less, while also jeopardizing everyone else’s safety.

Children Deserve Privacy And Freedom of Expression Too

Making online spaces safer is rightly a priority for governments worldwide; but removing access to E2EE is not the way to do it. E2EE is non-negotiable for security. It ensures that no one other than the sender and intended recipient(s) of a message can access its contents, not even the platform used to send the message. In an online world where more data about each of us is generated, stored, and shared than we could ever verify, this is an incredible strength. E2EE provides individuals, including children, with a way to conduct private, even intimate conversations, to express themselves freely, to exchange sensitive information about their health or current location, or even to report abuse. If children are forced to rely on unencrypted messaging channels, unsafe from prying eyes, it could be far more dangerous for them to share their live location data, credit card or financial information, and passwords to personal accounts, to report experiences of abuse, or to reach out for assistance with sensitive healthcare matters, such as information on abortion or reproductive health.

Children’s rights organizations, such as the Child Rights International Network and Defend Digital Me, have emphasized the importance of encryption in enabling the full range of children’s rights, warning that a generalized ban on encryption would leave children “vulnerable to a wide range of exploitation and abuse.” They also note that the use of unencrypted messaging services can further harm already disadvantaged or marginalized children – such as survivors of abuse.

Depriving minors of E2EE means depriving them of safe spaces online. In the offline world, we have private spaces for conversation. It is possible to ensure that there is no record of such conversation unless one of the parties chooses otherwise. Even when offline conversations are recorded, there are strict limitations on how, when, and why even law enforcement officials can seek access. Encryption is the boon that makes it possible to replicate this online. Without encryption, every word, image, and video recorded on the internet is susceptible to interception and potential abuse, including by law enforcement. As the UN Human Rights Council has noted, “the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice, in accordance with articles 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.”

In seeking to ban encryption — and thus infringe on individuals’ right to communicate privately — Nevada is at odds with global best practices, which increasingly recognize that generalized surveillance is anathema to human rights. The office of the UN Special Rapporteur on the Freedom of Expression has long recognized the importance of encryption, urging states not to compel platforms to compromise communications’ privacy and security by prohibiting encryption. Courts elsewhere are also rejecting mandates for the generalized surveillance enabled by removing encryption. The European Court of Human Rights recently rejected a Russian government request for Telegram and other communication service providers to enable decryption and to store users’ communication; essentially the same as not providing E2EE at all. And the African Commission on Human and Peoples' Rights has adopted a resolution calling on states to promote privacy-enhancing technologies and desist from prohibiting or weakening encryption.

It is widely accepted that any restrictions on human rights must meet the thresholds of necessity and proportionality. This means that measures imposed to achieve a particular aim must be effective, using the least intrusive methods possible. A blanket ban on E2EE for all Messenger users under the age of 18 fails on all these counts. It will not make children safer, and will rather expose their data to intrusions and misuse.

Make E2EE the Default

E2EE should be available by default, rather than users needing to opt-in — a long-standing feature in Signal, Apple’s iMessage, and Meta’s WhatsApp, and one that Messenger introduced in late 2023. EE2E by default aligns with data protection and privacy-by-design best practices, by removing the burden from users to actively seek out the “opt-in” setting. This is particularly important when it comes to protecting the data of vulnerable individuals, such as children, who may be even less likely than most people to change their default privacy settings. “Opt-out” website options are criticized because they make rampant data collection the norm and privacy the exception that a user must actively seek out. Similarly, on messaging platforms, an “opt in” for encryption disadvantages the user, and merely offers plausible deniability to the platform to scour personal information and place the blame on the user for not opting in.

If the Nevada Attorney General gets his way, it could also set a dangerous precedent in emboldening other governments, within and beyond the US, to ban E2EE in the name of child safety. Nevada’s courts must reject the state’s motion, not only to protect encryption and children’s rights at home, but also to set a strong precedent, in the domestic and international context. This will prevent others elsewhere from making such blatantly rights-harming demands, tone-deaf to global support for encryption, and strikingly at odds with fundamental human rights.