In recent years there has been a backlash against encryption by governments and policy makers across the world. However, encryption is critical for our digital society’s safety, writes David Frautschy.
David Frautschy is the director for European government and regulatory affairs at the Internet Society.
Individuals, businesses, and institutions around the world rely on strong encryption as a secure tool to ensure that sensitive information remains confidential and out of the hands of criminals or government surveillance. Yet in recent years there has been a backlash against encryption by governments and policy makers in the EU and across the world. Whether in trying to create a framework that allows for law enforcement agency access to data in criminal investigations or to counter the sharing of objectionable content online -they claim the false argument that if users have nothing to hide, they shouldn’t be concerned. But they fail to recognize – or simply ignore – just how critical strong encryption is for today’s society. We all have information we need to be able to hide from criminals and others who could do us harm.
Last November, the European Council published the resolution “Security through encryption and security despite encryption”, which states that law enforcement “must be able to access data in a lawful and targeted manner,” and calls on stakeholders to find “technical solutions” to provide law enforcement access to end-to-end encrypted communications. However, there is no way of breaking encryption without making everyone more vulnerable online. The “Breaking Encryption Myths” report published last year by the Global Encryption Coalition and signed by more than 50 Internet experts shows that there is no way to create a means for law enforcement access to end-to-end encrypted communications that only the ‘good guys’ can access and the ‘bad guys’ cannot.
The recent revelations of the NSO spyware demonstrate that law enforcement tools to gain access to encrypted communications will inevitably fall into the wrong hands. While the vulnerabilities used by NSO are known and likely being patched, the encryption backdoors that EU policymakers want to create for law enforcement access will ultimately create vulnerabilities that bad actors will use. Even worse, companies will be barred from fixing the mandated vulnerabilities lest they lock out certain ‘lawful’ actors as well. The lack of understanding of end-to-end encryption is baffling, and incredibly dangerous.
That’s the problem with the argument that citizens shouldn’t fear encryption backdoors if they have nothing to hide. I confess I’ve got things to hide: my bank accounts, my salary slips, my tax forms, my passwords, my health records, pictures from my holidays, the emails I’ve exchanged. I want all that information to be protected from criminals who could use it to make me the victim of fraud or other crimes. While most users may not have things to hide from law enforcement, an encryption backdoor prevents us from hiding our information from criminals too.
A recent roundtable on encryption hosted by the Internet Society invited participants from EU member states, the UK and Brazil from government, civil society and the technology sector to explore how to apply the European Council’s position on encryption. Important issues that require further consideration include the definition of protocols and governance models that would reinforce citizens’ trust, and the available alternatives to breaking encryption, such as metadata analysis and improvements to technical forensics capabilities of law enforcement.
Public safety can be protected without compromising privacy and cybersecurity, and it is our duty to explain that it is not acceptable to create frameworks that undermine encryption. Policymakers need to stop describing a false scenario where encryption is a tool that protects criminals and therefore needs to be weakened; or that criminal evidence can only be gathered overriding encryption.
The work ahead is complex and must be done by technical experts and civil society leaders working in consort and guided by trust. Encryption is critical for our digital society’s safety; it is a building block of a trustworthy Internet. We all have things to hide.