Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
6 International Dimensions Encryption is a global issue for nations, corporations and individuals. However, as characterized by a recent Center for Strategic and International Studies report,1 despite âglobal concernâ there is no âglobal consensus.â Although the debate on encryption continues, a clear trend is the increasing demands of governments for access to data from Internet companies as recorded by âtransparency reportsâ whether by domestic U.S. legal process or foreign requests.2 A number of countries are cur- rently exploring a variety of regulatory approaches, with signiï¬cant variation even within the Euro- pean Union.3,4 There are several concurrent themes to the international dimensions of the issue. â¢ Global availability Because encryption technologies are available and developed globally, there are limits to what can be achieved with domestic regulation. â¢ Potential proliferation of national regulation. Other nations are already seeking to regulate encryption and impose access requirements. Those measures may affect the United States in various ways. At the same time, if the U.S. government takes steps to mandate companies to provide access to encrypted content, it will encourage other countries to demand access as well. The resulting proliferation of approaches to enforce such an access requirement may give rise to a patchwork multinational regulatory structure that will likely decrease the technology products that can be sold to the global market. â¢ Restrictions on international data transfer. Given the amount of Internet trafï¬c that transits the United States and the amount of data stored by U.S. technology companies, any movement to- wards legislated access for the U.S. government will create concern by other countries that the United States does not have adequate controls over whether law enforcement and/or the in- telligence community are accessing the data of citizens of their country. This dynamic may put international data transfer mechanisms, such as the United StatesâEuropean Union Privacy Shield, at risk of further legal and political challenges, especially in the European Union. Weak- ening the mechanisms that allow for lawful international data transfer to the United States will create a disincentive to use U.S. technology and communications networks. 1 James A. Lewis, Denise E. Zheng, and William A. Carter, 2017, Effect of Encryption of Lawful Access to Communications and Data: A Report of the CSIS Technology Policy Program, https://www.csis.org/analysis/effect-encryption-lawful-access- communications-and-data. 2 âHand Over the Data,â 2017, Technology Review 102, no. 2 (March): 26. 3 Daniel Severson, n.d., The Encryption Debate in Europe, Aegis Paper Series No. 1702, research report, Hoover Institu- tion, http://www.hoover.org/sites/default/ï¬les/research/docs/severson_webreadypdf.pdf. 4 Sven Herpig and Stefan Heuman, 2017, âGermanyâs Crypto Past and Hacking Future,â Lawfare Blog (April 13), https: //www.lawfareblog.com/germanys-crypto-past-and-hacking-future. 63 PRE-PUBLICATION COPYâSUBJECT TO FURTHER EDITORIAL CORRECTION
64 6. INTERNATIONAL DIMENSIONS â¢ Global impacts of domestic regulations on citizens of other nations. Citizens around the world have become more aware of and sometimes concerned about the possibility of surveillance by nations other than their own. Decisions on encryption will have critical consequences for international trade and the competi- tiveness of U.S. companies whether or not the approaches and solutions are adopted worldwide (and they seem unlikely to be). Any government decisions requiring exceptional access, whether in the United States or elsewhere are also likely to have global ramiï¬cations for human rights, especially privacy, freedoms of speech and association, and the right to information (see Chapter 3). Corpo- rations are faced with the choice of complying with country-speciï¬c laws or foregoing markets for their products. As outlined in Chapter 5, countries have a variety of options for responding to the encryption dilemma. Vendors whether based in the United State or elsewhere generally rely on complex international supply chains for the hardware and software that make up their products and services. This depen- dence creates opportunities for coercion by foreign governments. Another international issue is the Mutual Legal Assistance Treaty (MLAT) process through which a country may seek data that is held in another country. This is related to the encryption de- bate because one approach when encryption is encountered in an investigation is to seek alterna- tive sources of data stored in the cloud. Increasingly, that data may turn out to be stored in another country, which under the existing process greatly complicates and delays access. Numerous studies have called for reform to enhance both the speed and process to ensure better effectiveness but the framework relies on voluntary cooperation. There are already efforts in this direction, such as those between the United States and United Kingdom. Civil liberties and human rights organizations have expressed concerns that current proposals do not incorporate adequate safeguards to protect indi- vidual rights. It may be that international agreements will be easiest in the context of responding to speciï¬c types of crimes, such as terrorism or child exploitation. Similarly, it will be much easier to reach bilateral or multilateral agreements regarding law enforcement interests than intelligence interests. 6.1 Effects of U.S. Actions on Other Countries and the International Market for U.S. Goods and Services For U.S. vendors, a mandate to provide access could have a signiï¬cant impact on global revenue. For most multi-national companies, a signiï¬cant portion of their revenue is generated overseas, ow- ing to demographics (e.g., China and India have more than 1 billion people each) and large potential opportunities in emerging markets more broadly. At the same time, some of the customers in these jurisdictions may be reluctant to use products that provide government access to plaintext, partic- ularly U.S. government access to plaintext. The impact will be sensitive to the particular technical approach used. For example, if key escrow were implemented but the keys were to be stored only in the country of the customer, some customers might ï¬nd that approach acceptable since they are already subject to local laws. It seems plausible that whether they do will depend on whether the country in question provides strong rule-of-law protections; customers may nevertheless be con- cerned about U.S. ï¬rms providing data to the U.S. government. At the same time, some customers in some markets may be more affected by their own countryâs approach to encryption than by the U.S. approach, even if they are buying products from U.S. companies. Indeed, in some cases U.S. ï¬rms have tailored their products and services to the regulations of a country in order to participate in PRE-PUBLICATION COPYâSUBJECT TO FURTHER EDITORIAL CORRECTION
6. INTERNATIONAL DIMENSIONS 65 that market.5 On the other hand, an approach that uses local storage of escrowed keys and gives re- pressive regimes control over those keys might not be supported by the United States as an interna- tional solution. The international challenges are compounded by the fact that mobile devices are mobile, which means that a solution does not necessarily satisfy law enforcement needs; for example, sophisti- cated criminals could simply purchase devices outside the nation in which they intend to use them. Further compounding the challenge is the intersection of encryption and trade policy. For example, trade agreements may constrain how the U.S. government treats foreign visitorâs devices that do not comply with U.S. rules. The market for encryption products is a global market. It has been estimated that as of early 2016 there are 846 encryption products on the market of which 545 are produced outside of the United States.6 Requirements for government exceptional access in U.S. encryption products, may drive people toward products designed in countries without any encryption regulation. Such a dy- namic would, if it plays out in this way, weaken the competitiveness of U.S. companies while reducing the beneï¬ts for law enforcement. 6.2 Global Norms The challenges of addressing government exceptional access internationally stem in part from the lack of global norms around such related issues as security interests, business-government re- lationships, and information and communications privacy. Although the United Nations Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) has been meeting since 2010, there has been little success in establishing norms and conï¬dence-building measures for responsible behavior and the applica- tion of international law. To be sure, a set of principles has been promulgated but the insight from two decades ago by another National Research Council study still remains true todayâinternational communications are conducted with no universally adopted information or communications pri- vacy and security standards or policies.7 The historical experience suggests that it will be difï¬cult to reach agreement on international norms for exceptional access. There have been a number of (to date unsuccessful) private-sector initiatives to establish indus- try norms and advocate that states create both offensive and defensive norms to foster and maintain trust in mass-market products and services. As part of these appeals industry has requested the es- tablishment of principle-based and coordinated policies on how to handle vulnerabilities. The plan for implementation would be to use intergovernmental forumsâsuch as the G20, Global Confer- ences on Cyberspace, Organization for Security and Cooperation in Europe (OSCE), Shanghai Cooper- ative Organization (SCO), UNGGE, or the U.N. Institute for Disarmament Researchâto establish this framework.8 Multistakeholder forums such as the recently established Global Commission on the Stability of Cyberspace, which seeks to develop norms to enhance peace and security in cyberspace, may also offer another avenue for seeking consensus. 5 See, for example, Paul Mozur, 2017, âApple Removes Apps From China Store That Help Internet Users Evade Censor- ship,â New York Times (July 29), https://www.nytimes.com/2017/07/29/technology/china-apple-censorhip.html. 6 Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, 2016, âA Worldwide Survey of Encryption Products,â Berk- man Center Research Publication No. 2016-2, https://ssrn.com/abstract=2731160. Note that not all of the products listed in this survey are complete solutions, provide robust security, or are easy to use. 7 National Research Council, 1996, Cryptographyâs Role in Securing the Information Society, National Academy Press, Washington DC. 8 Scott Charney et al., 2016, From Articulation to Implementation: Enabling Progress on Cybersecurity Norms, Microsoft Corporation, https://mscorpmedia.azureedge.net/mscorpmedia/2016/06/Microsoft-Cybersecurity-Norms_vFinal.pdf. PRE-PUBLICATION COPYâSUBJECT TO FURTHER EDITORIAL CORRECTION
66 6. INTERNATIONAL DIMENSIONS However, the differing expectations in areas such as business-government relationships, fair âbusiness practices,â and the role of major power security interests plague the possibility of solu- tions. The prerequisite for a global information structure remains the sameânational governments must agree to the principles. This prerequisite remains the answer and the problem. For products and services that provide encryption, one could try to establish an international uniform model code, a harmonization of the laws, increased mutual recognition of products, or some international interoperability regime for encryption. Each solution has its advantagesâhowever, unless a strategic approach is taken, the global market on encryption may fragment with more au- thoritarian nation-states mandating access and the market producing inaccessible products for indi- viduals willing to take the risk to secure communications and suffer the state consequences. At the same time, an effort to reach agreement on standards might not provide the level of protection for privacy and civil liberties that some nations or other stakeholders might expect or require. In short, a global solution seems unlikely and the governments of the United States and other countries and the vendors based in or doing business in these countries will be faced with difï¬cult trade-offs. Key questions include how the U.S. government and others decide to proceed domesti- cally and internationally, and how these government decisions affect the trade-offs made by ven- dors. PRE-PUBLICATION COPYâSUBJECT TO FURTHER EDITORIAL CORRECTION