Legislators around the world don’t like encryption and actively want to kill it. The activities range from having a campaign against encryption to coming up with laws. The US senate judiciary committee on December 10, 2019 warned tech corporations and social media platforms to find a way for law enforcement agencies to access personal communication of the corporations’ users and customers. Otherwise, the legislators would impose their will on these platforms. Lindsey Graham, the Chair of the committee, said: “My advice for you is to get on with it, because this time next year [in 2020] if we haven’t found a way . . . we will impose our will on you”
It has been two years since the threat of regulation, so it would be interesting to see what sort of activities have taken place since that threat.
Lindsay Graham did not manage to impose his will on these corporations. At least not yet. But he and his colleagues came up with a new bill called Lawful Access to Encrypted Data Act (LAEDA, 2020). When the bill came out, according to the Electronic Frontier Foundation, it was even more out of touch with reality than bills such as EARN IT Act.
The bill is not very sophisticated. The legislator didn’t consider the public comments it received, so it simply recommended a backdoor. And it invoked the usual justifications such as combatting terrorists and criminals’ (mostly child predators’) use of these technologies and apps. The bill also argued that encryption makes it impossible to receive information and evidence, even with a court order.
Why so riled up?
I think one of the most important questions we need to ask is why nation states, legislators, and law enforcement—regardless of their autocratic or democratic natures—hold so many reservations about encryption? Law enforcement personnel, when investigating criminal activities (including cybercrime and cybersecurity attack) need to gather as much evidence as possible. In criminal investigations, since many of our modes of communications have moved online, they have to gather the evidence that is available on the Internet. They cannot, however, access the encrypted texts online, unless they have the access key to the encrypted materials. Access to that key has become impossible since tech corporations have adopted technologies that do not give the corporations the key. Only the users or the users’ devices know what the necessary key is.
How did tech corporations get on with it?
Tech corporations do not take the threat of legislation for granted. Last year Apple decided to install a kind of “upload filter” on its iCloud that would scan photos for Child Abuse Materials. According to Apple Technical Summary Report: “CSAM Detection enables Apple to accurately identify and report iCloud users who store known Child Sexual Abuse Material (CSAM) in their iCloud Photos accounts”. The system Apple suggested included three technologies which would lead to decryption of the message using a “hash database”. For example, if the user image “hash” matches the CSAM hash database, then the server can derive the encryption key and successfully decrypt the message. The digital rights activists were vehemently against this plan and Apple did not go ahead with implementation.
Meta delayed implementing encryption for some of its products. Meta already put encryption in place for WhatsApp messenger in 2016. It had announced plans to implement end-to-end encryption on Facebook and Instagram’s Messenger Service, but Meta delayed the implementation until at least 2023.
What is law enforcement doing?
Law enforcement, for now, relies on social media for intelligence assessments and investigations. The Federal Bureau of Investigation contracts with social media monitoring companies “to obtain early alerts on ongoing national security and public-safety related events through lawfully collected/acquired social media data”. There are some suggestions to hoard metadata. But these collaborations with the private sector and sometimes even with not for profits that are human rights oriented can have dire consequences such as encroaching on the rights of others, financially benefiting from surveillance or just glorifying Open Source Intelligence Techniques and denying their consequences on some of the human rights.
What is the solution?
History teaches that we can’t rely only on sending public comments to Congress to prevent the creation of bad laws. Neither can we have a technocratic view that we can resolve this issue only through technical means. We need governance mechanisms and coalition building.
Turning enemies into allies
There are different ways that we might be able to convince nation states not to come up with encryption threatening laws occasionally.
One way might be by coalition building. For example, when Belgium wanted to impose a backdoor law, the Global Encryption Coalition opposed the law which helped with not having the encryption clauses. It also helped the cause that many global lobbyists are also in Brussels.
The Internet includes giant social systems. We need a system so that all people who are affected by these systems can understand them. To do that we need to engage law enforcement in these conversations about encryption.
Law enforcement agencies exist to uphold the rule of law. Encryption itself is a great tool that helps with upholding the rule of law. Law enforcement and ubiquitous encryption are really not natural enemies. Perhaps turning law enforcement agencies to one of the allies and advocates for encryption might work better. So, the Encryption Coalition can have an intake of members from pro-encryption law enforcement agencies. That way, we might not have to continue playing the game of whack a mole and go after every bad law that threatens encryption on the planet.