What would a world of pervasive encryption look like? How would it change the ways in which we use the Internet? How do we get to that world? And how would law enforcement work?
These were some of the questions that we asked to a set of international experts (including law enforcement, private sector, civil society, technical community, intergovernmental agency) to address a few weeks ago during an Internet Society hosted panel at the 2015 Internet Governance Forum (IGF) in Brazil.[1]
For those wanting more background on the panel, please read the post I wrote before the event: Imagine an encrypted world! A workshop at the IGF 2015.You may also want to read more about our positions and projects related to encryption.
For the others, here are some key takeaways from the discussion:
While all panelists agreed there is both a need to ensure the security of citizens and to protect the confidentiality of online communications, views diverged on whether exceptional access for governments to encrypted material would be effective, technically feasible and proportionate.
Investigation of crimes vs. broad data collection First, an important distinction was made between what law enforcement does in the investigation of specific crimes, and what intelligence services might do as a matter of bulk data collection and the interception of signals, whether they be encrypted or not, for the use of objectives that are different. The point was made that crime investigation would usually focus on data at rest (mobile device, computer, etc) and follow stricter judicial oversight.
Factors leading to a world of pervasive encryption Playing the game of imagining a world of pervasive encryption, many speakers agreed that the drivers that could lead to this scenario would likely include public scandals that could trigger policy change (e.g. broad legislation by some governments increasing surveillance, CEO or political figure being victim of an attack due to weak encryption, major data hack in public administrations, etc). Another factor could include further steps from companies to deploy end-to-end encryption as a competitive advantage to regain customer trust (e.g. Apple has enabled end-to-end encryption in its iMessage application). Most guestimates on the panel led to a scenario where encryption will be pervasive in the next 5-10 years, even though the types of encryption technologies used could be very diverse and at varying strength levels at different layers of the user experience.
Alternative means for law enforcement The discussion raised the fact that while full access to unencrypted data would likely make the job of law enforcement agencies (LEA) easier, there are alternative means they can use, or are using, to target criminals. This includes targeting other parties that are involved in related crimes, using metadata to track patterns and relationships, and the employment of malware/spyware in exceptional cases. However, all these means usually require extensive legal thresholds for their use. Some raised that the increasing number of connected objects will also offer law enforcement agencies with new means to investigate crimes (while also raising further privacy concerns). It was also raised that technological means may not always replace investment in employing human intelligence. A related point was made by a panelist that there should be a similar level of barriers to the ones that were there before the Internet when it comes to intrusion in people’s privacy to investigate crimes. In other words, we shouldn’t fundamentally alter the principles that were valid for law enforcement pre-Internet just because technology has made possible new ways to intercept communications.
Encryption backdoors Several voices raised questions on whether it would be possible for governments to have exceptional access to encrypted material, as there does not seem to be an effective and widely acceptable solution currently. Technical insights indicated that strong encryption with forward secrecy would likely be unbreakable. However, data sitting at rest usually needs some credentials that could be retrieved from a device. Example was given of banks that are required to build their data systems in ways that support law enforcement/judicial requests.
Contextualise the debate Adding a layer of geographical context to the discussion, it was highlighted that many countries actually use national security arguments as a way to censor information and track political dissent. It is therefore important to contextualize the debate on the understanding that exceptional access to encrypted material – assuming it was possible and desirable – might sometimes be used in ways that will explicitly restrict fundamental rights, including freedom of expression. Reference was made to the 2015 Freedom on the Net report to sustain that point.
Need to build trust frameworks Eventually, with the likelihood that encryption will be more widely spread and available in the next 5 to 10 years, a key conclusion from the workshop was that the public debate should also focus on building new trust frameworks between law enforcement and citizens. A suggestion was made that the vision of a world with encryption by default (that protects users’ confidentiality and trust) could be compatible with systems where citizens could have the opportunity to contribute to community efforts towards crime prevention.
Overall, this exchange demonstrated the value of addressing this issues with all concerned parties at the table and identified a few key areas where the discussion needs to continue. As both security threats and interest in the use of encryption are not likely to decrease any time soon, the need to have a meaningful dialogue with law enforcement and other stakeholders is more important than ever and should intensify in the upcoming months.
The Internet Society stands ready to contribute to this debate and to offer a table to convene this necessary dialogue.
—–
[1] The panelists involved in this session were:
- Mr. Frank Pace, Sergeant, Digital Forensics Investigative Unit, Strategic Information Bureau, Phoenix Police Department
- Mr. Ted Hardie, Executive Director, Internet Architecture Board
- Ms. Carly Nyst, civil society, former Privacy International, international privacy expert
- Mr. Michael Nelson, Internet-related global public policy issues, CloudFlare
- Ms. Sanja Kelly, Project Director, Freedom on the Net report
- Ms. Xianhong Hu, intergovernmental, Division for Freedom of Expression and Media Development, Communication and Information Sector, UNESCO
Image credit: Christiaan Colen on Flickr. CC BY SA