Encryption is a global issue for nations, corporations, and individuals. However, as characterized by a recent Center for Strategic and International Studies report,1 despite “global concern” there is no “global consensus.” Although the debate on encryption continues, a clear trend is the increasing demands of governments for access to data from Internet companies as recorded by “transparency reports” whether by domestic U.S. legal process or foreign requests.2 A number of countries are currently exploring a variety of regulatory approaches, with significant variation even within the European Union.3,4
There are several concurrent themes to the international dimensions of the issue.
- Global availability. Because encryption technologies are available and developed globally, there are limits to what can be achieved with domestic regulation.
1 J.A. Lewis, D.E. Zheng, and W.A. Carter, 2017, Effect of Encryption of Lawful Access to Communications and Data: A Report of the CSIS Technology Policy Program, https://www.csis.org/analysis/effect-encryption-lawful-access-communications-and-data.
2 “Hand Over the Data,” 2017, Technology Review 102(2):26.
3 D. Severson, n.d., The Encryption Debate in Europe, Aegis Paper Series No. 1702, research report, Hoover Institution, http://www.hoover.org/sites/default/files/research/docs/severson_webreadypdf.pdf.
4 S. Herpig and S. Heuman, 2017, “Germany’s crypto past and hacking future,” Lawfare Blog (April 13), https://www.lawfareblog.com/germanys-crypto-past-and-hacking-future.
- Potential proliferation of national regulation. Other nations are already seeking to regulate encryption and impose access requirements. Those measures may affect the United States in various ways. At the same time, if the U.S. government takes steps to mandate companies to provide access to encrypted content, it will encourage other countries to demand access as well. The resulting proliferation of approaches to enforce such an access requirement may give rise to a patchwork multinational regulatory structure that will likely decrease the technology products that can be sold to the global market.
- Restrictions on international data transfer. Given the amount of Internet traffic that transits the United States and the amount of data stored by U.S. technology companies, any movement toward legislated access for the U.S. government will create concern by other countries that the United States does not have adequate controls over whether law enforcement and/or the intelligence community are accessing the data of citizens of their country. This dynamic may put international data transfer mechanisms, such as the EU-U.S. Privacy Shield Framework, at risk of further legal and political challenges, especially in the European Union. Weakening the mechanisms that allow for lawful international data transfer to the United States will create a disincentive to use U.S. technology and communications networks.
- Global impacts of domestic regulations on citizens of other nations. Citizens around the world have become more aware of and sometimes concerned about the possibility of surveillance by nations other than their own.
Decisions on encryption will have critical consequences for international trade and the competitiveness of U.S. companies whether or not the approaches and solutions are adopted worldwide (and they seem unlikely to be). Any government decisions requiring exceptional access, whether in the United States or elsewhere, are also likely to have global ramifications for human rights, especially privacy, freedoms of speech and association, and the right to information (see Chapter 3). Corporations are faced with the choice of complying with country-specific laws or foregoing markets for their products. As outlined in Chapter 5, countries have a variety of options for responding to the encryption dilemma.
Vendors, whether based in the United State or elsewhere, generally rely on complex international supply chains for the hardware and software that comprise their products and services. This dependence creates opportunities for coercion by foreign governments.
Another international issue is the Mutual Legal Assistance Treaty (MLAT) process through which a country may seek data that is held in another country. This is related to the encryption debate because one
approach when encryption is encountered in an investigation is to seek alternative sources of data stored in the cloud. Increasingly, that data may turn out to be stored in another country, which under the existing process greatly complicates and delays access. Numerous studies have called for reform to enhance both the speed and process to ensure better effectiveness but the framework relies on voluntary cooperation. There are already efforts in this direction, such as those between the United States and United Kingdom. Civil liberties and human rights organizations have expressed concerns that current proposals do not incorporate adequate safeguards to protect individual rights. It may be that international agreements will be easiest in the context of responding to specific types of crimes, such as terrorism or child exploitation. Similarly, it will be much easier to reach bilateral or multilateral agreements regarding law enforcement interests than intelligence interests.
For U.S. vendors, a mandate to provide access could have a significant impact on global revenue. For most multi-national companies, a significant portion of their revenue is generated overseas, owing to demographics (e.g., China and India have more than 1 billion people each) and large potential opportunities in emerging markets more broadly. At the same time, some of the customers in these jurisdictions may be reluctant to use products that provide government access to plaintext, particularly U.S. government access to plaintext. The impact will be sensitive to the particular technical approach used. For example, if key escrow were implemented but the keys were to be stored only in the country of the customer, some customers might find that approach acceptable because they are already subject to local laws. It seems plausible that whether they do will depend on whether the country in question provides strong rule-of-law protections; customers may nevertheless be concerned about U.S. firms providing data to the U.S. government. At the same time, some customers in some markets may be more affected by their own country’s approach to encryption than by the U.S. approach, even if they are buying products from U.S. companies. Indeed, in some cases U.S. firms have tailored their products and services to the regulations of a country in order to participate in that market.5 On the other hand, an approach that uses local stor-
5 See, for example, P. Mozur, 2017, “Apple removes apps from China store that help internet users evade censorship,” New York Times, July 29, https://www.nytimes.com/2017/07/29/technology/china-apple-censorhip.html.
age of escrowed keys and gives repressive regimes control over those keys might not be supported by the United States as an international solution.
The international challenges are compounded by the fact that mobile devices are mobile, which means that a solution does not necessarily satisfy law enforcement needs; for example, sophisticated criminals could simply purchase devices outside the nation in which they intend to use them. Further compounding the challenge is the intersection of encryption and trade policy. For example, trade agreements may constrain how the U.S. government treats foreign visitor’s devices that do not comply with U.S. rules.
The market for encryption products is a global market. It has been estimated that as of early 2016 there are 846 encryption products on the market of which 545 are produced outside of the United States.6 Requirements for government exceptional access in U.S. encryption products, may drive people toward products designed in countries without any encryption regulation. Such a dynamic would, if it plays out in this way, weaken the competitiveness of U.S. companies while reducing the benefits for law enforcement.
The challenges of addressing government exceptional access internationally stem in part from the lack of global norms around such related issues as security interests, business-government relationships, and information and communications privacy. Although the United Nations Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) has been meeting since 2010, there has been little success in establishing norms and confidence-building measures for responsible behavior and the application of international law. To be sure, a set of principles has been promulgated, but the insight from two decades ago by another National Research Council study still remains true today—international communications are conducted with no universally adopted information or communications privacy and security standards or policies.7 The historical experience suggests that it will be difficult to reach agreement on international norms for exceptional access.
There have been a number of (to date unsuccessful) private-sector initiatives to establish industry norms and advocate that states create
6 B. Schneier, K. Seidel, and S. Vijayakumar, 2016, “A Worldwide Survey of Encryption Products,” Berkman Center Research Publication No. 2016-2, https://ssrn.com/abstract=2731160. Note that not all of the products listed in this survey are complete solutions, provide robust security, or are easy to use.
7 National Research Council, 1996, Cryptography’s Role in Securing the Information Society, National Academy Press, Washington DC.
both offensive and defensive norms to foster and maintain trust in mass-market products and services. As part of these appeals industry has requested the establishment of principle-based and coordinated policies on how to handle vulnerabilities. The plan for implementation would be to use intergovernmental forums—such as the G20, Global Conferences on Cyberspace, Organization for Security and Cooperation in Europe (OSCE), Shanghai Cooperative Organization (SCO), UNGGE, or the U.N. Institute for Disarmament Research—to establish this framework.8 Multistakeholder forums such as the recently established Global Commission on the Stability of Cyberspace, which seeks to develop norms to enhance peace and security in cyberspace, may also offer another avenue for seeking consensus.
However, the differing expectations in areas such as business-government relationships, fair “business practices,” and the role of major power security interests plague the possibility of solutions. The prerequisite for a global information structure remains the same—national governments must agree to the principles. This prerequisite remains the answer and the problem.
For products and services that provide encryption, one could try to establish an international uniform model code, a harmonization of the laws, increased mutual recognition of products, or some international interoperability regime for encryption. Each solution has its advantages—however, unless a strategic approach is taken, the global market on encryption may fragment with more authoritarian nation-states mandating access and the market producing inaccessible products for individuals willing to take the risk to secure communications and suffer the state consequences. At the same time, an effort to reach agreement on standards might not provide the level of protection for privacy and civil liberties that some nations or other stakeholders might expect or require.
In short, a global solution seems unlikely and the governments of the United States and other countries and the vendors based in or doing business in these countries will be faced with difficult trade-offs. Key questions include how the U.S. government and others decide to proceed domestically and internationally, and how these government decisions affect the trade-offs made by vendors.
8 S. Charney et al., 2016, “From Articulation to Implementation: Enabling Progress on Cybersecurity Norms,” Microsoft Corporation, https://mscorpmedia.azureedge.net/mscorpmedia/2016/06/Microsoft-Cybersecurity-Norms_vFinal.pdf.