Study

Front, Back, and Trap Doors: Refocusing the Encryption Debate

Hohmann Zum Staatlichen Umgang Mit Verschluesselung Original
Source: Charles Deluno /​Unsplash
By
Mirko Hohmann
16 Jan 2018
Funded by

Heinrich Böll Foundation

The if” and how” of regulating encryption technologies has long been a matter of heated debate. One side demands that users should be able to protect their data fully not only from access by criminals or companies, but also from governmental access by means of strong encryption. On the other hand, some security and law enforcement officials argue that no technology should be designed to prevent lawful access (i.e. with a court order) by their agencies. To preserve their ability to detect threats and investigate serious crimes, they argue, information on smartphones and the communication between users should be made available to them in a readable form. After all, the information protected by encryption includes that of many criminals. In a changing technical environment where an increasing amount of important data is unavailable to government agencies due to the use of encryption technologies, some officials argue that they are going dark,” i.e. that more and more data is inaccessible to them.

Thus, at regular intervals, groups of government officials call for access options to such technologies that are legally and technically anchored. After all, they argue, data should be accessible upon presentation of a search warrant. During the first major debate on the topic – the first crypto war” of the 1990s – proponents of such regulation demanded that law enforcement be equipped with direct access to information, thus bypassing companies through a back door.” In recent years, the argument has changed. The regulations proposed are increasingly vague and, if implemented, would force companies to develop their technology in a way that would enable them to retain access and share data with the authorities when asked. In that scenario, encrypted information would be accessed through the front door.”

While public authorities need to be able to meet the challenges posed by digitization, the demands for legally guaranteed access are neither expedient nor desirable, for three reasons:

  • Lack of need. While officials claim that they are increasingly going dark,” it is also fair to argue that we live in a golden age of surveillance”: more and more communication takes place online and can be tracked or eavesdropped on. Importantly, both lines of argument are often supported only anecdotally. At this point, however, a review of publicly available data on the problems faced by public authorities using encryption technologies does not suggest a compelling need for new solutions.

  • Unclear implementation. Hundreds of different encryption technologies exist worldwide, almost half of which are available online for free. It is therefore doubtful that regulations in individual countries would have a lasting effect on the availability of such technologies to criminals, as alternatives can always be found. It is also unclear how demands for lawful access should be technically implemented.

  • Negative externalities. While the need for and implementation of possible regulations remain unclear, the negative externalities of such potential measures can be easily demonstrated. These would (1) reduce IT security through the introduction of new technical vulnerabilities, (2) erode confidence in the technology industry, and (3) bolster the position of authoritarian states that have been calling for such access for years, thus threatening human rights worldwide.

In sum, there is little evidence to support an argument for the regulation of encryption technologies. Going forward, rather than making vague demands, public authorities should focus on alternative investigative methods to retain their ability to work effectively in a world of modern information and communications technologies. Reforms in the following areas are particularly suitable:

  • Personnel and training. Due to technological change, the requirements for investigative work are constantly changing. Therefore, authorities need more support from IT specialists. More importantly, it is necessary to promote expertise about the use of digital evidence as well as other new methods and tactics through training and similar measures. Such training is particularly relevant for security and law enforcement agencies, but should also take place in public prosecutors’ offices and courts.

  • Reform of the mutual legal assistance regime. Data that is stored in a different jurisdiction might be just as far from the reach of national authorities as encrypted data. Given the international nature of the digital economy, such cases will increase and there is a need to work better across jurisdictions. In this context, it is urgent to reform the current mutual legal assistance regime in order to simplify cross-border investigations.

  • Governmental hacking. Through online searches or the monitoring of communications directly at endpoints like smartphones or laptops, authorities can bypass encryption technologies and gain access to data on these devices before it is encrypted. Such hacking methods, which typically exploit vulnerabilities in software and hardware, will play an increasingly important role in the digital age. At the same time, they are highly controversial – and for good reason. It is therefore all the more necessary to clarify open technical and legal questions and to draw up vulnerabilities equities processes. These processes specify how government agencies’ knowledge of vulnerabilities must be managed and should be as transparent as possible.

Controversial demands for front or back doors for state actors can be met with reforms in these areas. All stakeholders, including the private sector and civil society, should engage in a constructive dialogue to shift the conversation accordingly. This might also prevent the pursuit of demands for other disputed investigative methods, such as data retention or data localization. Finally, it should be emphasized that it is on those demanding new regulation to provide evidence for its necessity and explain their ideas for its technical implementation. As they stand, their arguments do not hold up to scrutiny. 

The full study (in German) and the infographic A Primer on Encryption and the Fuss About it (in German and English) are available for download. 

The study has been produced with generous support from the Heinrich Böll Foundation.

Related

Hensing 2024 De Risking
Commentary

Germany Shows Why Europe Cannot Rely on Business-Led De-Risking

By Jakob Hensing
Bressan 2024 EUISS
Policy brief

The Power and Limits of Data for Peace

By Sarah Bressan
Undersea Cables 2023
Project

Maritime Infrastructure Protection: Agenda for a Secure and Resilient Undersea Cable Network

Bressan Hoxtell 2023 Whose Bright Idea Think Tanks
Study

Whose Bright Idea Was That?

By Sarah Bressan, Wade Hoxtell
Benner 2021 Seven Lessons from the German 5 G Debate
Commentary

Seven Lessons From the German 5G Debate

By Thorsten Benner
Benner 2021 5 G Saga
Commentary

Lehren aus der 5G-Saga

By Thorsten Benner
Pirang 2020 User Attention
articles

User Attention is the New Frontier in Content Regulation

By Alexander Pirang
Benner 2020 UK 5 G
Commentary

Britain Knows It’s Selling Out Its National Security to Huawei

By Thorsten Benner