Smartphone Encryption: Protecting Victim Privacy While Holding Offenders Accountable

/

The last few months have seen heated debates between law enforcement and technology companies over the issue of smartphone encryption. The government has argued that encrypted devices and new technologies make it more difficult for law enforcement to investigate crimes while technology companies claimed that weakening encryption weakens security for everyone. Currently, Congress is drafting a bill that would require technology companies to make encrypted data readable, and several state legislatures have introduced legislation to block the sale of encrypted smartphones

At the core of the encryption debate is the concept of privacy and technology security. Technology nowadays – in particular the smartphone – collect and store an unprecedented amount of private information, including personal health data, access to online accounts (such as social media and email), videos and pictures, and so much more. Some of this information can be especially private and something a user may not want others – a friend or family member, an abusive partner, or an employer – to know about. For those individuals, the security on their smartphone can enhance or strip away that privacy.

Through the Safety Net Project at the National Network to End Domestic Violence, we have been addressing the intersection of technology and violence against women for over 15 years, and have trained more than 80,000 victim advocates, police officers, technologists, and other practitioners. In looking at how technology can be misused to facilitate stalking and harassment and how survivors can use their technology to attain safety, privacy is a recurring and fundamental component.

For victims of domestic violence, sexual assault, and stalking, privacy and data security are integrally connected to their safety. A survivor’s smartphone is their lifeline; yet their smartphone can also be incredibly vulnerable to misuse by an abuser. A survivor’s smartphone is often one of the first things an abuser will target simply because of the amount of information on there. If they can compromise the victim’s smartphone, they have access to all phone calls, messages, social media, email, location information, and much more. For these reasons, smartphone security and encryption is essential to safeguarding the privacy of victims’ personal information.

The other side of the encryption debate is the ability for law enforcement to hold offenders accountable, which is something we also strongly support. When abusers misuse technology to threaten and terrorize, investigators can trace the digital trail to discover and prove who committed the crime. An encrypted smartphone makes it more difficult for law enforcement to access information on that phone if the owner is unwilling or unable to unlock it.

While law enforcement should not be impeded in their ability to investigate a crime, it’s important to recognize that smartphone encryption does not prevent law enforcement from doing an investigation of technology-facilitated domestic violence, sexual assault, and stalking. In these types of crimes, the goal of the perpetrator is to wield power and control over the victim by controlling the victim’s technology, harassing the victim through messages or phone calls, monitoring their activity, or disseminating harmful and devastating rumors about the victim. It is often an interaction between the victim and perpetrator through a third party, and digital evidence or proof of this harassment and abuse could exist elsewhere: on the victim’s own devices or an online platform (Facebook, email, etc.).

There may be circumstances in which evidence only exists on the perpetrator’s device. This could be the case in a sexual assault, for example, in which the perpetrator recorded or took videos of the assault on his/her device and has not yet shared them or posted them publicly. In situations such as this, unless the videos or photographs were uploaded online or backed up, the evidence may not be anywhere but on the perpetrator’s smartphone.

In most cases, however, it is possible for law enforcement to successfully investigate and build a domestic violence and sexual assault case without needing the perpetrator’s smartphone. For example, evidence of harassment via emails, texts, or social media will also exist on other technology platforms. If the abuser purchased monitoring software or is tracking the victim through a paid service, there might be financial records. In some cases, the survivor may have access to some of the evidence that might be needed. While survivors should never be in the position of having to investigate their own crimes, they are often in the best position to know what’s happening, and they should be involved and part of the process.

Balancing Victim Privacy and Offender Accountability

Ultimately, for survivors of domestic violence, sexual assault, and stalking, the smartphone encryption issue comes down to balancing victim privacy and offender accountability. Both are equally important but neither should be compromised for the other. Victim privacy is fundamental to victim safety, and the technologies survivors use should have the most security and encryption possible.

It’s also important to recognize that weakening smartphone encryption to allow law enforcement access means weakened encryption—period. If an abuser is technologically savvy or is in law enforcement, their victim may have less privacy and security on their smartphones. There is no professional immunity to those who commit violence against women, and perpetrators of domestic and sexual violence work in all fields, including technology companies and law enforcement agencies.

We believe it is possible for law enforcement to investigate technology-facilitated domestic violence, sexual assault, and stalking crimes, without compromising victim privacy through weakened smartphone encryption. Law enforcement, federal funders, technology companies, and the victim advocate community need to come together to figure out how to support survivors and help them be safe while also holding offenders accountable.

Instead of finding ways to get around smartphone encryption, law enforcement agencies deserve and need far more resources to investigate crimes facilitated through technology. Law enforcement should be given more information and tools so they not only know how technology is misused to facilitate crime, but all the different places where the evidence could exist, and the proper process and method on gathering this evidence. A good, thorough investigation of technology-facilitated domestic violence, sexual assault, and stalking goes beyond examining a perpetrator’s encrypted smartphone.

At our annual Technology Summit, we ensure that there are sessions geared specifically for law enforcement professionals, so they can take this knowledge back to their communities. We’ve worked with other national organizations, such as the International Association of Chiefs of Police, to develop articles to share this knowledge with law enforcement. Despite 15 years of addressing this issue, however, we still hear from survivors and their advocates that thorough investigation of technology-facilitated crimes is not happening consistently across the country. Rather than proposing legislation requiring access to encrypted data on a smartphone or banning encrypted smartphones, we encourage legislators and advocacy groups to look at what is actually needed to fully investigate these crimes and to truly address what law enforcement can do to hold offenders accountable.

New & Updated Resources on Facebook Privacy & Safety

/

We recently had the exciting opportunity to collaborate with Facebook on their international roundtables on Women’s Online Safety and were able to participate in three of these events in Washington, DC, Hyderabad, India, and New York City. The roundtables featured leading voices from many of the nation’s gender based violence (GBV) organizations as well as government representatives from various countries.

The roundtables were devised to create space for GBV organizations to contribute to the broader conversation on how Facebook in particular can engage the voices of women and create a safer environment for women to use the platform without fear of harassment and threats.  The goals of the roundtables were:

  1. To share existing Facebook tools women can use to help with privacy and safety.

  2. To share innovations Facebook is currently working on to improve the user experience. 

  3. To hear concerns from the field on what users are experiencing. 

  4. To create a network for GBV organizations to foster continuous conversations and provide a support structure for women users. 

The roundtables included conversations around Facebook’s Real Name Policy. Facebook has strongly backed their long-standing policy for users to be authentically identified by their real names. This policy also minimizes the ability for abusers and perpetrators to hide behind fake accounts and increases the likelihood that abusers misusing the platform to harass, threaten, or stalk a person can be held accountable. The policy has received some push-back, however, and Facebook addressed the various steps they have taken to allow some flexibility for individuals who are going by a different name in their everyday lives than their legal name.

All of the meetings discussed counter speech, which is used to combat negative comments posted on an account. By using counter speech, users can ask their audiences to post positive comments and help manage some of the negative, threatening, and harassing comments they are receiving.

During the roundtables, Facebook and Safety Net introduced the new Guide to Staying Safe on Facebook. This guide is a condensed version of the Privacy & Safety on Facebook: A Guide for Survivors of Abuse, providing short and concise tips on privacy and safety settings. Both resources can be found in our Privacy & Safety on Facebook page of the blog.

The roundtables were an incredible success. We appreciate the opportunity Facebook provided for global GBV organizations to convene and share their concerns. We will continue to foster collaborations between technology companies, government organizations, and non-profits to help eradicate violence against women in all forms, including in online spaces. To learn more about the roundtables and all of the great topics discussed, visit #HerVoice. Also, check out our video series on Facebook Privacy, Security and Safety!

Celebrating Data Privacy Day – Ask Before You Post

/

January 28th is internationally recognized as Data Privacy Day. This day began as, and continues to be, a way to create awareness about the importance of privacy and protecting personal information—a crucial component of survivors’ safety.

Obtaining privacy over personal data can seem almost impossible in today’s digital age. A significant amount of our lives is online, and even our offline activities seem to emerge online… somehow, whether we want it to or not. I gave a presentation recently and the organizers took photos and posted them in a public photo album that included my full name. But this is not an isolated event, this has happened several times in my work. During another presentation, attendees were tweeting out my quotes followed by my full name. At no point was I asked for my permission. It becomes my responsibility to actively reach out and communicate any privacy needs. It’s usually just assumed that people are ok with sharing their lives on the web. This is unfortunate. For survivors of abuse, whose privacy is directly linked to their safety, staying on top of what people and companies do with their personal information can be downright exhausting.

We need to shift our collective thinking around data and privacy. Just because it can be online, does not mean that it should be. People often feel bad or uncomfortable asking others to remove online posts or requesting basic information about privacy policies. It’s time to flip the narrative on this. It’s ok to share privacy needs and requests. It’s ok to ask for content to be removed. Privacy is critical to safety for survivors, but survivors shouldn’t have to disclose safety concerns for their privacy to be considered or taken seriously. If we approach this from a privacy-first framework, we can actually start protecting privacy instead of chasing after it.

We’ve all heard tips about protecting our own privacy. That list is everywhere. Let’s celebrate Data Privacy Day differently this year - let’s consider some steps we can take to protect other people’s privacy. If we can create this shift in culture, our own privacy will also be more protected.  

1.       Ask before you post pictures of, or content about, other people.
Not everyone wants their information or images online - Or maybe they don’t care if it’s shared with a limited audience, but prefer that it not have a public audience. You can never assume. Even your selfie-obsessed friend deserves privacy.

2.       Ask before you post pictures of, or content about, other people’s kids.
I know this one can be hard. I mean, do they not see how adorable their kid is? Or how adorable my kid is sitting next to their kid? Privacy over cuteness, people. We have to get our priorities straight.

3.       Think before you share something that was sent to you and ask for permission.
Just because someone shared it with you or on their Facebook page, doesn’t mean they want it shared with everyone you know.

4.       If you run a business or organization website or social media site – ask before you post content that is personally identifying.
Even better, create policies and practices around how you ensure full consent.

Do you see a pattern here? Asking before sharing is the fundamental part of ensuring that people are in control of their privacy. It’s easy to think that we’re all just a needle in a haystack and wonder what issue could possibly come from a simple post or tag. But we live in a world of search engines and even if your page doesn’t have many followers, that content can pop up with a simple Google search. Changing how we treat other people’s information will transform our own privacy risks in the future. Join us in creating a culture of respect and consent in regards to privacy.

Erica Olsen
Deputy Director, Safety Net Project