by Mirko Hohmann GPPi
The “if” and “how” of regulating encryption technologies has long been a matter of heated debate. One side demands that users should be able to protect their data fully not only from access by criminals or companies, but also from governmental access by means of strong encryption. On the other hand, some security and law enforcement officials argue that no technology should be designed to prevent lawful access (i.e. with a court order) by their agencies. To preserve their ability to detect threats and investigate serious crimes, they argue, information on smartphones and the communication between users should be made available to them in a readable form. After all, the information protected by encryption includes that of many criminals. In a changing technical environment where an increasing amount of important data is unavailable to government agencies due to the use of encryption technologies, some officials argue that they are “going dark,” i.e. that more and more data is inaccessible to them.
Thus, at regular intervals, groups of government officials call for access options to such technologies that are legally and technically anchored. After all, they argue, data should be accessible upon presentation of a search warrant. During the first major debate on the topic – the first “crypto war” of the 1990s – proponents of such regulation demanded that law enforcement be equipped with direct access to information, thus bypassing companies through a “back door.” In recent years, the argument has changed. The regulations proposed are increasingly vague and, if implemented, would force companies to develop their technology in a way that would enable them to retain access and share data with the authorities when asked. In that scenario, encrypted information would be accessed through the “front door.”
While public authorities need to be able to meet the challenges posed by digitization, the demands for legally guaranteed access are neither expedient nor desirable, for three reasons:
In sum, there is little evidence to support an argument for the regulation of encryption technologies. Going forward, rather than making vague demands, public authorities should focus on alternative investigative methods to retain their ability to work effectively in a world of modern information and communications technologies. Reforms in the following areas are particularly suitable:
Controversial demands for front or back doors for state actors can be met with reforms in these areas. All stakeholders, including the private sector and civil society, should engage in a constructive dialogue to shift the conversation accordingly. This might also prevent the pursuit of demands for other disputed investigative methods, such as data retention or data localization. Finally, it should be emphasized that it is on those demanding new regulation to provide evidence for its necessity and explain their ideas for its technical implementation. As they stand, their arguments do not hold up to scrutiny.
The study has been produced with generous support from the Heinrich Böll Foundation.
by Mirko Hohmann, Thorsten Benner
by Thorsten Benner
by Alexander Pirang
Council on Foreign Relations