Report 16 January 2018

Front, Back, and Trap Doors: Refocusing the Encryption Debate

by Mirko Hohmann              GPPi

The “if” and “how” of regulating encryption technologies has long been a matter of heated debate. One side demands that users should be able to protect their data fully not only from access by criminals or companies, but also from governmental access by means of strong encryption. On the other hand, some security and law enforcement officials argue that no technology should be designed to prevent lawful access (i.e. with a court order) by their agencies. To preserve their ability to detect threats and investigate serious crimes, they argue, information on smartphones and the communication between users should be made available to them in a readable form. After all, the information protected by encryption includes that of many criminals. In a changing technical environment where an increasing amount of important data is unavailable to government agencies due to the use of encryption technologies, some officials argue that they are “going dark,” i.e. that more and more data is inaccessible to them.

Thus, at regular intervals, groups of government officials call for access options to such technologies that are legally and technically anchored. After all, they argue, data should be accessible upon presentation of a search warrant. During the first major debate on the topic – the first “crypto war” of the 1990s – proponents of such regulation demanded that law enforcement be equipped with direct access to information, thus bypassing companies through a “back door.” In recent years, the argument has changed. The regulations proposed are increasingly vague and, if implemented, would force companies to develop their technology in a way that would enable them to retain access and share data with the authorities when asked. In that scenario, encrypted information would be accessed through the “front door.”

While public authorities need to be able to meet the challenges posed by digitization, the demands for legally guaranteed access are neither expedient nor desirable, for three reasons:

  • Lack of need. While officials claim that they are increasingly “going dark,” it is also fair to argue that we live in a “golden age of surveillance”: more and more communication takes place online and can be tracked or eavesdropped on. Importantly, both lines of argument are often supported only anecdotally. At this point, however, a review of publicly available data on the problems faced by public authorities using encryption technologies does not suggest a compelling need for new solutions.
  • Unclear implementation. Hundreds of different encryption technologies exist worldwide, almost half of which are available online for free. It is therefore doubtful that regulations in individual countries would have a lasting effect on the availability of such technologies to criminals, as alternatives can always be found. It is also unclear how demands for lawful access should be technically implemented.
  • Negative externalities. While the need for and implementation of possible regulations remain unclear, the negative externalities of such potential measures can be easily demonstrated. These would (1) reduce IT security through the introduction of new technical vulnerabilities, (2) erode confidence in the technology industry, and (3) bolster the position of authoritarian states that have been calling for such access for years, thus threatening human rights worldwide.

In sum, there is little evidence to support an argument for the regulation of encryption technologies. Going forward, rather than making vague demands, public authorities should focus on alternative investigative methods to retain their ability to work effectively in a world of modern information and communications technologies. Reforms in the following areas are particularly suitable:

  • Personnel and training. Due to technological change, the requirements for investigative work are constantly changing. Therefore, authorities need more support from IT specialists. More importantly, it is necessary to promote expertise about the use of digital evidence as well as other new methods and tactics through training and similar measures. Such training is particularly relevant for security and law enforcement agencies, but should also take place in public prosecutors’ offices and courts.
  • Reform of the mutual legal assistance regime. Data that is stored in a different jurisdiction might be just as far from the reach of national authorities as encrypted data. Given the international nature of the digital economy, such cases will increase and there is a need to work better across jurisdictions. In this context, it is urgent to reform the current mutual legal assistance regime in order to simplify cross-border investigations.
  • Governmental hacking. Through online searches or the monitoring of communications directly at endpoints like smartphones or laptops, authorities can bypass encryption technologies and gain access to data on these devices before it is encrypted. Such hacking methods, which typically exploit vulnerabilities in software and hardware, will play an increasingly important role in the digital age. At the same time, they are highly controversial – and for good reason. It is therefore all the more necessary to clarify open technical and legal questions and to draw up vulnerabilities equities processes. These processes specify how government agencies’ knowledge of vulnerabilities must be managed and should be as transparent as possible.

Controversial demands for front or back doors for state actors can be met with reforms in these areas. All stakeholders, including the private sector and civil society, should engage in a constructive dialogue to shift the conversation accordingly. This might also prevent the pursuit of demands for other disputed investigative methods, such as data retention or data localization. Finally, it should be emphasized that it is on those demanding new regulation to provide evidence for its necessity and explain their ideas for its technical implementation. As they stand, their arguments do not hold up to scrutiny.

...

The full study (in German) and the infographic A Primer on Encryption and the Fuss About it (in German and English) are available for download.

The study has been produced with generous support from the Heinrich Böll Foundation.

Book 16 July 2018

Cybersecurity in Germany

by Isabel Skierka, Martin Schallbruch
Springer

Policy Paper 28 June 2018

How European Internet Foreign Policy Can Compete in a Fragmented World

by Mirko Hohmann, Thorsten Benner
GPPi

Commentary 19 April 2018

Digital Geneva Convention: Microsoft als Normunternehmer

by Thorsten Benner
Microsoft Berlin

Commentary 12 April 2018

Germany’s Half-Baked Approach to Fighting Disinformation

by Alexander Pirang
Council on Foreign Relations

Commentary 10 April 2018

Maßgeschneiderte Macht

by Thorsten Benner
taz