Kids live in a digital world. Even before they start using online tools, devices and games on their own, parents take pictures of them, share them and store the on the cloud. Encryption is the best tool we have to keep them safe online.
Strong encryption is the standard that is keeping billions of people safe every day. We need to push back against government efforts to undermine it.
Every 21 October, we come together to be part of an annual day of action, when civil society organizations, businesses, technologists, and millions of Internet users across the world come together to promote, protect and defend strong encryption.
See how people around the world are advocating to save strong encryption.
Encryption safeguards the personal security of billions of people and the national security of countries around the world.
The Global Encryption Coalition (GEC) was founded in 2020 by the Center for Democracy & Technology, Global Partners Digital and the Internet Society and now has over 350 members.
Its mission is to promote and defend encryption in key countries and multilateral fora where it is under threat. The GEC also supports efforts by companies to offer encrypted services to their users.
Every day, we promote and protect encryption all over the world. Find out how we take action:
In late 2016, the United Kingdom passed the Investigatory Powers Act, 2016. Among many powers granted to law enforcement, the Act allows the Government to issue Technical Capability Notices (known as “TCNs”) which can be used to force to alter their service to enable law enforcement to intercept user content. For end-to-end encrypted communications, this would force them to undermine the security and privacy of their service by implementing an encryption backdoor. As of September 2022, the British Government is not yet known to have issued a TCN. (updated September 2022)
See what some of our members have said in opposition to the Investigatory Powers Act:
The government of the United Kingdom is currently pursuing legislation, the “Online Safety Bill“ which, if not significantly revised, would force platforms to monitor and filter user content by default, alongside using prescribed technologies to combat child sexual abuse material. While well intentioned, the Bill would have the unintended consequence of forcing end-to-end encrypted platforms to undermine the security and privacy of their users to implement techniques to monitor and filter their user content. These concerns have been raised by many members of the Global Encryption Coalition alongside cyber security experts worldwide. The Legislation is currently under consideration by the UK Parliament. (Updated August 2023)
See what some of our members have said in opposition to the Online Safety Bill:
"},"geometry": {"type": "Point","coordinates": [-3.2765753, 54.7023545, 0.0]}},{"type": "Feature","properties": {"id":"2409","Title":"Encryption Threats in the European Union","display":"", "date":"27 Sep 2022", "excerpt":"","category_name":"Encryption Threats", "category_id":"20", "image":"", "link":"https://www.globalencryption.org/?p=2409", "name": "start","popupContent": "
Encryption Threats in the European Union
eIDAS
2021 - Ongoing
In 2021, the European Union (EU) proposed an amendment to the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation that would change provisions related to Qualified Website Authentication Certificates (QWACs). The proposal could empower governments to compel browsers to validate specific Certificate Authorities (CAs) that may or may not comply with industry best practices for ensuring security online. If a web browser is persuaded to accept a fake certificate, a third-party could impersonate the other communicating parties, eavesdrop on the conversation, and/or potentially tamper with or forge the messages exchanged. The amendments are still being discussed in EU Parliament. (updated January 2022)
See what some of our members have said in opposition to eIDAS:
The European Commission is pursuing regulations to combat the proliferation of child sexual abuse (CSA) content online. In their draft regulation, online platforms would be forced to scan user content for CSA content and grooming behavior. While well intentioned, these requirements would force end-to-end encrypted platforms to undermine the security and privacy of their users to implement techniques to monitor and filter their user content. These concerns have been raised by many members of the Global Encryption Coalition alongside cyber security experts worldwide.
In 2022, the governments and legislatures of several EU member states came out publicly against the regulation. In November 2022, the Austrian Parliament passed a binding resolution not to agree to the European Union’s CSA Regulation. The resolution specifically mentions the risks of the CSA Proposal’s general monitoring obligations and the attacks on confidentially of encrypted messages. The German Justice Minister , lawyers for the Bundestag , and the Czech Deputy Prime Minister for Digitalization all came out with similar statements in 2022 opposing the EU CSA Proposal and supporting strong encryption
The legislation is currently under consideration by the European Union. (Updated January 2023)
See what some of our members have said in opposition to the European Union’s CSA Regulation:
In 2015 and again in 2016, a judge in Brazil blocked WhatsApp for failing to comply with a court order to provide information in a criminal investigation. As user content is end-to-end encrypted on WhatsApp, the company could not comply with the court order as they did not have access to the user data. The blocking orders were stayed shortly after they were issued and the legality of the blocking orders is currently being argued at the Brazilian Supreme Court. In 2020 2 votes (out of ~11) were in favor of end-to-end encryption before the court was adjourned so a judge could look at the facts of the case. The court may reconvene to reach a final decision. However, in 2020, the Brazilian Superior Court of Justice (STJ), which deals with abstract legal issues vs. specific cases,decided definitively that a company (Facebook/WhatsApp) cannot be sanctioned (with fines or by having its services blocked at the level of infrastructure) for having adopted E2EE to protect its users. (Updated August 2023)
See what some of our members have said around the WhatsApp Blocking Case:
The Brazilian Congress was considering passing legislation aimed at addressing disinformation. However the Bill , known as the “Disinformation Bill” would also have implications for end-to-end encrypted services. Among the requirements in the Bill, messaging providers would be forced to provide traceability, an unclear concept. With little clarity on how to achieve traceability, companies would break end-to-end encryption to trace messages on their platform. Due to advocacy from the Brazilian and international civil society communities, the Disinformation Bill no longer contains traceability requirements in its most recent form. (updated January 2023)
See what some of our members have said in opposition to the Disinformation Bill:
In December 2021, the Romanian Chamber of Deputies passed the national implementation of the European Electronic Communications Code (EECC Directive). Increased powers for law enforcement surveillance were included in the implementation, including an obligation to allow access to the content of encrypted communications transited in their own networks. Complying with the regulation would require implementing an encryption backdoor for end-to-end encrypted communications services. The Romanian Senate passed the legislation in early 2022. (updated January 2023)
Proposed Russian legislation, would prohibit the use of any encryption protocol that hides the name or identifier of a destination web page or site. This would affect connections such as HTTPS (web) connections using Transport Layer Security (TLS) version 1.3 that also use a setting called encrypted server name indication (ESNI), as well as protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) – which encrypt DNS queries.
See what some of our members have said in opposition to the Russian Proposal to Ban Encrypted Protocols:
In July 2019,users of Kazakh mobile operators trying to access the Internet have received text messages indicating that they need to install government-issued root certificates on their mobile and desktop devices. By installing a government-issued root certificate, the government would have the capability to impersonate the other communicating parties, eavesdrop on the conversation, and/or potentially tamper with or forge the messages exchanged. The major browser providers announced that they would not accept the government issued certificate. (updated September 2022)
See what some of our members have said in opposition to the Kazakhstan Man-in-the-Middle Attack:
In 2021, the Belgian Government proposed Data Retention Legislation that would enable law enforcement to force companies to “turn-off“ end-to-end encryption on demand. The legislation was expected to go to Parliament around October 2021, and if it went to Parliament it was seen as likely to move forward into law. Global Encryption Coalition members organized a campaign with local allies against the legislation. The campaign included media outreach, an open letter, and meetings with key decision-makers. In large part because of efforts of members of the Global Encryption Coalition and their allies, support for the legislation crumbled. The main Belgian opposition party has called for Parliamentary hearings on why the Belgian government is trying to break encryption with this law, Digital Affairs Junior Minister, Mathieu Michel, expressed his opposition to the encryption provision in a newspaper article, and the Belgian Government removed the obligation for companies to create encryption backdoors from the revised text of the Belgian Data Retention Legislation. In a further win, the Belgian Justice Ministry noted publicly that “at the moment [law enforcement access to end-to-end encrypted communications without breaking the security of all users] appears to be impossible …” (updated September 2022)
See what some of our members have said in opposition to the Belgian Data Retention Legislation:
In 2020, the German Government proposed a controversial legislation, dubbed the “G-10 Legislation,” which would give German law enforcement services expanded surveillance powers. Among the most concerning aspects of the legislation was the power to allow the German government to force over the top services (OTTs), such as end-to-end encrypted communications platforms, to aid them in hacking end points – doing things like sending poisoned updates to apps. This would potentially undermine e2e encrypted applications. Because of the efforts by local and international civil society and industry, including Global Encryption Coalition members, the text of the legislation was changed to explicitly exclude over-the-top services (OTTs) from the assistance obligations. The legislation passed in June 2021. (updated September 2022)
See what some of our members have said in opposition to the G-10 Legislation:
In 2021, the Mauritian government published consultation paper on proposed amendments to the country’s Information and Communications Technology (ICT) law. The proposed ammendments aimed to address abuse and misuse of social media by “requiring the decryption of all web traffic deemed to be ‘social media,’ by intervening in the issuance of security certificates for HTTPS traffic, which would then be routed through government-controlled proxy servers.” This would undermine the use of end-to-end encrypted protocols on the Internet. After local and international outcry, the amendments have not been passed into law. (updated September 2022)
See what some of our members have said in opposition to the Amendments to ICT Act:
"},"geometry": {"type": "Point","coordinates": [57.534935, -20.321973, 0.0]}},{"type": "Feature","properties": {"id":"2393","Title":"Attempts to Ban DoH and DoT in the ITU","display":"", "date":"28 Sep 2022", "excerpt":"","category_name":"Encryption Threats", "category_id":"20", "image":"", "link":"https://www.globalencryption.org/?p=2393", "name": "start","popupContent": "
Attempts to Ban DoH and DoT in the ITU
Late 2020 - January 2021
In early 2021, some member states in the International Telecommunications Union suggested banning the use of two important encryption Internet protocols, DoH and DoT. While eventually unsuccessful, this was a dangerous move that could have greatly undermined the security and privacy of the global Internet. (updated September 2022)
"},"geometry": {"type": "Point","coordinates": [6.1379676, 46.2222511, 0.0]}},{"type": "Feature","properties": {"id":"2397","Title":"Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Australia)","display":"", "date":"30 Jan 2023", "excerpt":"","category_name":"Encryption Threats", "category_id":"20", "image":"", "link":"https://www.globalencryption.org/?p=2397", "name": "start","popupContent": "
Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Australia)
December 2018
In late 2018, the Australian Government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, also known as the “TOLA Act.“ Among the many new powers the TOLA Act creates for Australian law enforcement, it allows them to issue “Technical Capability Notices, or “TCNs,” which require companies to alter their service to provide law enforcement access to user content on their platform. For end-to-end encrypted communications, this would force them to undermine the security and privacy of their service by implementing an encryption backdoor. While the Australian Government has used some of the other powers granted by the TOLA Act, the Australian Government is not yet known to have issued a TCN. (updated January 2022)
See what some of our members have said in opposition to the TOLA Act:
"},"geometry": {"type": "Point","coordinates": [134.755, -24.7761086, 0.0]}},{"type": "Feature","properties": {"id":"2583","Title":"Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media and OTT Platforms, 2021","display":"", "date":"30 Jan 2023", "excerpt":"","category_name":"Encryption Threats", "category_id":"20", "image":"", "link":"https://www.globalencryption.org/?p=2583", "name": "start","popupContent": "
Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media and OTT Platforms, 2021
Late 2021 - Ongoing
The draft “Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media and OTT Platforms, 2021” presents a new content governance framework for digital, social media and OTT platforms operating in the country. It seeks to legally limit intermediary liability protection and introduce traceability within end-to-end encrypted services offered by social media and messaging platforms. (updated January 2023)
See what some of our members have said in opposition to the Bangladesh Telecommunication Regulatory Commission Regulation for Digital, Social Media and OTT Platforms, 2021:
"},"geometry": {"type": "Point","coordinates": [90.2934413, 24.4769288, 0.0]}},{"type": "Feature","properties": {"id":"2589","Title":"Draft Code of Practice for Interactive Computer Service Operations (Nigeria)","display":"", "date":"30 Jan 2023", "excerpt":"","category_name":"Encryption Threats", "category_id":"20", "image":"", "link":"https://www.globalencryption.org/?p=2589", "name": "start","popupContent": "
Draft Code of Practice for Interactive Computer Service Operations (Nigeria)
May 2022 - Ongoing
In 2022 the Nigerian National Information Technology Development Agency (NITDA) released a draft bill, the Draft Code of Practice for Interactive Computer Service Operations (the “Code“), which seeks to regulate Internet platforms. Among the Code’s requirements include traceability requirements. The consensus among cybersecurity experts is that traceability will have negative consequences for the privacy and security of all users. The Code is currently being revised by NITDA based on feedback from a public consultation period. (updated January 2023)
In October 2022, the Turkish legislature passed new legislation that amends several existing laws, including the Internet Law, the Press Law and the Turkish Penal Code. The Disinformation Law expands the scope of these existing laws to cover over-the-top (OTT) services. In addition, it introduces some new requirements. Among the most concerning of these new requirements for OTTs and encryption is the requirement to remove online content and disclose user data. If secondary legislation, which interprets the Disinformation Law for implementation, were to require providers of end-to-end encrypted services to disclose users’ messages in decrypted form, it will force these providers to undermine the security of their users by building vulnerabilities into their systems. The Turkish Information and Communication Technologies Authority is currently developing the secondary legislation. (Updated January 2023)
See what some of our members have said about the Turkish Disinformation Bill:
In August 2020, the Chinese Government appeared to begin blocking all web connections (HTTPS) that use Transport Layer Security (TLS) version 1.3 alongside a setting called encrypted server name indication (ESNI). TLS 1.3 improves the security, privacy, and performance of websites and TLS 1.3 is available in all major browsers and web server products. Undermining the use of TLS 1.3 makes users more vulnerable to security and privacy threats.
See what some of our members have said in opposition to China blocking TLS 1.3:
"},"geometry": {"type": "Point","coordinates": [104.999927, 35.000074, 0.0]}},{"type": "Feature","properties": {"id":"2603","Title":"Encryption Threats in United States","display":"", "date":"9 Aug 2023", "excerpt":"","category_name":"Encryption Threats", "category_id":"20", "image":"", "link":"https://www.globalencryption.org/?p=2603", "name": "start","popupContent": "
Encryption Threats in United States
EARN IT Act
September 2020 - December 2022
In 2020, the EARN IT Act was introduced to United States Congress. The legislation aims to make changes to Section 230 of Title 47 of the US code, which provides intermediary liability for user content shared on Internet platforms. EARN IT Act would undermine the intermediary liability protections for platforms, forcing them to monitor user content or face legal risk for their users activities. In addition, EARN IT Act makes it so courts could consider the offering of end-to-end encrypted services as evidence to prove that a provider is complicit in child exploitation crimes. As a result, the EARN IT Act would heavily disincentivize companies from offering end-to-end encryption, and instead prompt them to develop encryption backdoors. The EARN IT Act was reintroduced to Congress in January 2022.
The EARN IT Act failed to pass before the end of the 117th Congress. (Updated January 2023)
See what some of our members have said in opposition to the EARN IT Act:
The Lawful Access to Encrypted Data (LAED) Act was introduced to United States Congress in January 2021. This legislation would directly undermine encryption by giving law enforcement the power to force companies to build encryption backdoors to allow access to user content. The LAED Act failed to be enacted during the 2019-2021 Congress and has not been reintroduced.
See what some of our members have said in opposition to the LAED Act
In 2023, the STOP CSAM Act was introduced to United States Congress. The Legislation would allow any company, non-profit, or individual that is involved in operating any significant aspect of the Internet ecosystem or involved in distributing software that is used in Internet communications, to be subject to lawsuits brought by victims of child abuse. Second, those entities and individuals subject to suit could be held liable for being “reckless” in actions that “facilitate” or “promote” communications over the Internet. To attempt to safeguard themselves from potential civil liability, Internet computer service providers may be forced to introduce encryption backdoors, undermining the security and privacy of all users. (Updated May 2023)
The Cooper Davis Act was introduced to US Congress in 2023. The Cooper Davis Act would compel companies to report on their users communications directly to the US Drug Enforcement Agency. Companies are required to report when they have knowledge of facts and circumstances “establishing that a crime is being or has already been committed” involving illegal narcotics activities. In an ammendment to the legislation, the Cooper Davis Act would require that the provider not “deliberately blind itself” to violations. Given the current discourse among the US Justice Department around encryption, thi vague requirement would likely be used by prosecutors to infer liability on end-to-end encrypted services. It is impossible to monitor user content on end-to-end encrypted services, leading the providers of these services to make the choice undermine the encryption of their services in order to avoid liability. (Updated August 2023)
What did people and organizations tell us on their choice to use and implement strong encryption?
Nowadays, censorship and cybersecurity issues are on the rise. Owing to the centralized nature of big tech platforms, every message sent by users is stored on their central cloud servers. This centralization turns user data into an enticing resource for powerful entitie and advertising firms. User data privacy and ownership have been completely stripped away! ... Read More
Our end-to-end encrypted cloud collaboration service helps thousands of teams protect the privacy of their most valuable data. Organizations of all shapes and sizes, from NGOs to education and research institutes, small-and medium sized businesses and larger corporations, rely on Tresorit’s end-to-end encrypted service to make sure that their files are only readable to them ... Read More
Security and privacy are vitally important to Zoom users. Both free and paid users can opt to host end-to-end encrypted meetings within their accounts. Zoom E2EE meetings can accommodate up to 1,000 people! As a global leader for secure communications, we look forward to expanding our support for E2EE to Zoom Phone in the ... Read More
