State-led Interference in encrypted systems: A public debate on different policy approaches

20 Dec 2017 09:00h - 10:30h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

This session, moderated by Dr Cristine Hoepers, General manager for CERT.br in Brazil, and Professor Carlos A. Afonso, Executive Director of the Instituto Nupef in Brazil, featured discussions on the different approaches that are implemented or considered to address the development and use of encryption online. As emphasised by Hoepers in her introductory comments, various policy options are now being discussed at national and international levels, raising both technical and legal concerns regarding their implementation.

During the first segment of the session, government representatives from the Netherlands and the UK presented their respective national approaches in dealing with the use of encryption. Ms Elinor Buxton, the Deputy Head at EU and International Data in the UK Foreign and Commonwealth Office insisted that the general position of the UK government is to support strong encryption. Encryption is key to protecting citizens’ communications , in particular vulnerable individuals, journalists, or political actors. Nonetheless, telecoms operators have to provide unencrypted information when requested in a warrant from independent judicial authorities. Encryption represents a challenge for the UK government, as shown by the increased use of end-to-end communication. Thus dialogue with Internet platforms is crucial for preventing their services from being used for nefarious purposes.  The position of the UK government is not to weaken encryption, but to look at technically feasible encryption workarounds. Buxton concluded by recalling that there is no absolute right to privacy in the UK, but that the UK government is committed to ensuring access is requested according to a proportionate and necessary approach.

Then, Ms Nina Leemhuis Janssen, a Senior Policy Officer at the Netherlands Ministry of Security and Justice, presented the national position of the Netherlands regarding encryption. A policy paper stating the general position of the Dutch government was issued in January 2016, following an inter-ministerial consultation process. The position of the Dutch government is not to support restrictive measures on the availability and use of encryption. But encryption generates important dilemmas in terms of security and privacy. There are currently no standards for decrypting encrypted data, without weakening encryption. Journalists, states, companies, and the e-government society rely on the use of encryption to protect information and to secure communication. At the same time, citizens and companies want states to protect them against intellectual property rights infringements or crimes for instance. Instead of accessing encrypted data, access to metadata can often be a crucial alternative for law enforcement agencies, and can sometimes be considered enough to prosecute criminals.

During the second segment of the session, a number of selected experts gave their views on different policy approaches to address the development of encryption. Mr Sunil Abraham, Executive Director at CIS India, presented the other types of policy options that governments can take in dealing with encryption. Some in developing countries opt for the prohibition of certain standards and keys, while other governments attempt, via different means, to interfere with or block the development of strong standards, in venues such as the Internet Engineering Task Force (IETF). There are also more positive types of government interference. For instance, India requires government offices to use encryption to keep their communications confidential. Some governments also invest heavily in mathematics and cryptography research.

Ms Estelle Massé, a Senior policy analyst for the Brussels office of Access Now, developed the position of Access Now regarding encryption. Massé referred to a joint letter recently sent to ‘Five Eyes’ agencies against weakening encryption. States are now working on encryption workarounds, such as government hacking. The position of Access Now is to call for a ban on government hacking, in particular because of its disproportionate impacts on human rights.

Dr Demi Getschko, the Chairman of NIC.br in Brazil, argued that everyone has the right to use strong encryption. Weak encryption can be considered worse than no encryption at all, since it may bring a false sense of security. Getschko insisted debates should avoid opposing security and privacy.

Mr Neide Oliveira, Prosecutor at the Brazilian Federal Prosecution Service, presented the position of Brazil regarding encryption. The Brazilian government is not against cryptography. Every citizen has the right to encrypt their data and communications. But it does not mean individuals committing crimes should not be investigated. Companies should seek the safest way to allow the investigation of people using their services and cooperate in order to prevent crimes. Sometimes, companies refuse to share metadata that is available with the Brazilian authorities and this can hinder the work of law enforcement agencies.

Professor Monica Guise Rosina, Public Policy Manager at Facebook in Brazil, then summarised the position of Facebook regarding encryption. Facebook supports strong encryption and considers it is not technically feasible to weaken encryption without weakening the security and privacy of all. Recent instances of high profile data breaches further demonstrate the need for encryption. But there is no place on Facebook for terrorist or child exploitation content. The company complies with every applicable law, and collaborates with public authorities by blocking certain accounts and disclosing metadata or unencrypted data.

Ms Riana Pfefferkorn, Fellow at the Stanford Center for Internet and Society in the USA, argued that while governments suggest companies should live up to their responsibilities, it remains unclear what exactly these responsibilities are. Internet companies have responsibilities towards Internet users as well as to law enforcement. For Pfefferkorn, the debate on weakening encryption is over, since the technology is out there for anyone. The conversation should shift to addressing encryption workarounds, such as lawful hacking, vulnerabilities and the use of metadata.

Dr Seth Bouvier, Senior Advisor for Cyber Policy at the US Department of State, expressed the strong support of the US government regarding strong encryption in protecting human rights and secure communications. Discussions on encryption should take more account of the public interest on these issues, especially in light of the rise of ransomware online.

Finally, Dr Christoph Steck, Director of Public Policy and Internet at Telefónica in Spain argued that changes in the technology have led to shifts in the debates towards lawful hacking. Hacking could provide significant access to governments and may have negative consequences for human rights.

By Clément Perarnaud