National Academies Press: OpenBook

Decrypting the Encryption Debate: A Framework for Decision Makers (2018)

Chapter: 6 International Dimensions

« Previous: 5 Options for Accessing Plaintext
Suggested Citation:"6 International Dimensions." National Academies of Sciences, Engineering, and Medicine. 2018. Decrypting the Encryption Debate: A Framework for Decision Makers. Washington, DC: The National Academies Press. doi: 10.17226/25010.
Page 63
Suggested Citation:"6 International Dimensions." National Academies of Sciences, Engineering, and Medicine. 2018. Decrypting the Encryption Debate: A Framework for Decision Makers. Washington, DC: The National Academies Press. doi: 10.17226/25010.
Page 64
Suggested Citation:"6 International Dimensions." National Academies of Sciences, Engineering, and Medicine. 2018. Decrypting the Encryption Debate: A Framework for Decision Makers. Washington, DC: The National Academies Press. doi: 10.17226/25010.
Page 65
Suggested Citation:"6 International Dimensions." National Academies of Sciences, Engineering, and Medicine. 2018. Decrypting the Encryption Debate: A Framework for Decision Makers. Washington, DC: The National Academies Press. doi: 10.17226/25010.
Page 66

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

6 International Dimensions Encryption is a global issue for nations, corporations and individuals. However, as characterized by a recent Center for Strategic and International Studies report,1 despite “global concern” there is no “global consensus.” Although the debate on encryption continues, a clear trend is the increasing demands of governments for access to data from Internet companies as recorded by “transparency reports” whether by domestic U.S. legal process or foreign requests.2 A number of countries are cur- rently exploring a variety of regulatory approaches, with significant variation even within the Euro- pean Union.3,4 There are several concurrent themes to the international dimensions of the issue. • Global availability Because encryption technologies are available and developed globally, there are limits to what can be achieved with domestic regulation. • Potential proliferation of national regulation. Other nations are already seeking to regulate encryption and impose access requirements. Those measures may affect the United States in various ways. At the same time, if the U.S. government takes steps to mandate companies to provide access to encrypted content, it will encourage other countries to demand access as well. The resulting proliferation of approaches to enforce such an access requirement may give rise to a patchwork multinational regulatory structure that will likely decrease the technology products that can be sold to the global market. • Restrictions on international data transfer. Given the amount of Internet traffic that transits the United States and the amount of data stored by U.S. technology companies, any movement to- wards legislated access for the U.S. government will create concern by other countries that the United States does not have adequate controls over whether law enforcement and/or the in- telligence community are accessing the data of citizens of their country. This dynamic may put international data transfer mechanisms, such as the United States–European Union Privacy Shield, at risk of further legal and political challenges, especially in the European Union. Weak- ening the mechanisms that allow for lawful international data transfer to the United States will create a disincentive to use U.S. technology and communications networks. 1 James A. Lewis, Denise E. Zheng, and William A. Carter, 2017, Effect of Encryption of Lawful Access to Communications and Data: A Report of the CSIS Technology Policy Program, communications-and-data. 2 “Hand Over the Data,” 2017, Technology Review 102, no. 2 (March): 26. 3 Daniel Severson, n.d., The Encryption Debate in Europe, Aegis Paper Series No. 1702, research report, Hoover Institu- tion, 4 Sven Herpig and Stefan Heuman, 2017, “Germany’s Crypto Past and Hacking Future,” Lawfare Blog (April 13), https: // 63 PRE-PUBLICATION COPY—SUBJECT TO FURTHER EDITORIAL CORRECTION

64 6. INTERNATIONAL DIMENSIONS • Global impacts of domestic regulations on citizens of other nations. Citizens around the world have become more aware of and sometimes concerned about the possibility of surveillance by nations other than their own. Decisions on encryption will have critical consequences for international trade and the competi- tiveness of U.S. companies whether or not the approaches and solutions are adopted worldwide (and they seem unlikely to be). Any government decisions requiring exceptional access, whether in the United States or elsewhere are also likely to have global ramifications for human rights, especially privacy, freedoms of speech and association, and the right to information (see Chapter 3). Corpo- rations are faced with the choice of complying with country-specific laws or foregoing markets for their products. As outlined in Chapter 5, countries have a variety of options for responding to the encryption dilemma. Vendors whether based in the United State or elsewhere generally rely on complex international supply chains for the hardware and software that make up their products and services. This depen- dence creates opportunities for coercion by foreign governments. Another international issue is the Mutual Legal Assistance Treaty (MLAT) process through which a country may seek data that is held in another country. This is related to the encryption de- bate because one approach when encryption is encountered in an investigation is to seek alterna- tive sources of data stored in the cloud. Increasingly, that data may turn out to be stored in another country, which under the existing process greatly complicates and delays access. Numerous studies have called for reform to enhance both the speed and process to ensure better effectiveness but the framework relies on voluntary cooperation. There are already efforts in this direction, such as those between the United States and United Kingdom. Civil liberties and human rights organizations have expressed concerns that current proposals do not incorporate adequate safeguards to protect indi- vidual rights. It may be that international agreements will be easiest in the context of responding to specific types of crimes, such as terrorism or child exploitation. Similarly, it will be much easier to reach bilateral or multilateral agreements regarding law enforcement interests than intelligence interests. 6.1 Effects of U.S. Actions on Other Countries and the International Market for U.S. Goods and Services For U.S. vendors, a mandate to provide access could have a significant impact on global revenue. For most multi-national companies, a significant portion of their revenue is generated overseas, ow- ing to demographics (e.g., China and India have more than 1 billion people each) and large potential opportunities in emerging markets more broadly. At the same time, some of the customers in these jurisdictions may be reluctant to use products that provide government access to plaintext, partic- ularly U.S. government access to plaintext. The impact will be sensitive to the particular technical approach used. For example, if key escrow were implemented but the keys were to be stored only in the country of the customer, some customers might find that approach acceptable since they are already subject to local laws. It seems plausible that whether they do will depend on whether the country in question provides strong rule-of-law protections; customers may nevertheless be con- cerned about U.S. firms providing data to the U.S. government. At the same time, some customers in some markets may be more affected by their own country’s approach to encryption than by the U.S. approach, even if they are buying products from U.S. companies. Indeed, in some cases U.S. firms have tailored their products and services to the regulations of a country in order to participate in PRE-PUBLICATION COPY—SUBJECT TO FURTHER EDITORIAL CORRECTION

6. INTERNATIONAL DIMENSIONS 65 that market.5 On the other hand, an approach that uses local storage of escrowed keys and gives re- pressive regimes control over those keys might not be supported by the United States as an interna- tional solution. The international challenges are compounded by the fact that mobile devices are mobile, which means that a solution does not necessarily satisfy law enforcement needs; for example, sophisti- cated criminals could simply purchase devices outside the nation in which they intend to use them. Further compounding the challenge is the intersection of encryption and trade policy. For example, trade agreements may constrain how the U.S. government treats foreign visitor’s devices that do not comply with U.S. rules. The market for encryption products is a global market. It has been estimated that as of early 2016 there are 846 encryption products on the market of which 545 are produced outside of the United States.6 Requirements for government exceptional access in U.S. encryption products, may drive people toward products designed in countries without any encryption regulation. Such a dy- namic would, if it plays out in this way, weaken the competitiveness of U.S. companies while reducing the benefits for law enforcement. 6.2 Global Norms The challenges of addressing government exceptional access internationally stem in part from the lack of global norms around such related issues as security interests, business-government re- lationships, and information and communications privacy. Although the United Nations Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) has been meeting since 2010, there has been little success in establishing norms and confidence-building measures for responsible behavior and the applica- tion of international law. To be sure, a set of principles has been promulgated but the insight from two decades ago by another National Research Council study still remains true today—international communications are conducted with no universally adopted information or communications pri- vacy and security standards or policies.7 The historical experience suggests that it will be difficult to reach agreement on international norms for exceptional access. There have been a number of (to date unsuccessful) private-sector initiatives to establish indus- try norms and advocate that states create both offensive and defensive norms to foster and maintain trust in mass-market products and services. As part of these appeals industry has requested the es- tablishment of principle-based and coordinated policies on how to handle vulnerabilities. The plan for implementation would be to use intergovernmental forums—such as the G20, Global Confer- ences on Cyberspace, Organization for Security and Cooperation in Europe (OSCE), Shanghai Cooper- ative Organization (SCO), UNGGE, or the U.N. Institute for Disarmament Research—to establish this framework.8 Multistakeholder forums such as the recently established Global Commission on the Stability of Cyberspace, which seeks to develop norms to enhance peace and security in cyberspace, may also offer another avenue for seeking consensus. 5 See, for example, Paul Mozur, 2017, “Apple Removes Apps From China Store That Help Internet Users Evade Censor- ship,” New York Times (July 29), 6 Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, 2016, “A Worldwide Survey of Encryption Products,” Berk- man Center Research Publication No. 2016-2, Note that not all of the products listed in this survey are complete solutions, provide robust security, or are easy to use. 7 National Research Council, 1996, Cryptography’s Role in Securing the Information Society, National Academy Press, Washington DC. 8 Scott Charney et al., 2016, From Articulation to Implementation: Enabling Progress on Cybersecurity Norms, Microsoft Corporation, PRE-PUBLICATION COPY—SUBJECT TO FURTHER EDITORIAL CORRECTION

66 6. INTERNATIONAL DIMENSIONS However, the differing expectations in areas such as business-government relationships, fair “business practices,” and the role of major power security interests plague the possibility of solu- tions. The prerequisite for a global information structure remains the same—national governments must agree to the principles. This prerequisite remains the answer and the problem. For products and services that provide encryption, one could try to establish an international uniform model code, a harmonization of the laws, increased mutual recognition of products, or some international interoperability regime for encryption. Each solution has its advantages—however, unless a strategic approach is taken, the global market on encryption may fragment with more au- thoritarian nation-states mandating access and the market producing inaccessible products for indi- viduals willing to take the risk to secure communications and suffer the state consequences. At the same time, an effort to reach agreement on standards might not provide the level of protection for privacy and civil liberties that some nations or other stakeholders might expect or require. In short, a global solution seems unlikely and the governments of the United States and other countries and the vendors based in or doing business in these countries will be faced with difficult trade-offs. Key questions include how the U.S. government and others decide to proceed domesti- cally and internationally, and how these government decisions affect the trade-offs made by ven- dors. PRE-PUBLICATION COPY—SUBJECT TO FURTHER EDITORIAL CORRECTION

Next: 7 A Framework for Evaluating Approaches to Access Plaintext »
Decrypting the Encryption Debate: A Framework for Decision Makers Get This Book
Buy Paperback | $45.00
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Encryption protects information stored on smartphones, laptops, and other devices - in some cases by default. Encrypted communications are provided by widely used computing devices and services - such as smartphones, laptops, and messaging applications - that are used by hundreds of millions of users. Individuals, organizations, and governments rely on encryption to counter threats from a wide range of actors, including unsophisticated and sophisticated criminals, foreign intelligence agencies, and repressive governments. Encryption on its own does not solve the challenge of providing effective security for data and systems, but it is an important tool.

At the same time, encryption is relied on by criminals to avoid investigation and prosecution, including criminals who may unknowingly benefit from default settings as well as those who deliberately use encryption. Thus, encryption complicates law enforcement and intelligence investigations. When communications are encrypted "end-to-end," intercepted messages cannot be understood. When a smartphone is locked and encrypted, the contents cannot be read if the phone is seized by investigators.

Decrypting the Encryption Debate reviews how encryption is used, including its applications to cybersecurity; its role in protecting privacy and civil liberties; the needs of law enforcement and the intelligence community for information; technical and policy options for accessing plaintext; and the international landscape. This book describes the context in which decisions about providing authorized government agencies access to the plaintext version of encrypted information would be made and identifies and characterizes possible mechanisms and alternative means of obtaining information.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook,'s online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!