Encryption Paradox: Examining Bottlenecks in Devising Policy Responses

The Visio Journal #3

This paper aims to examine the hindrances to formulating policies on the use of encrypted communication including the fundamental contradiction between the interests of the government and manufacturers or companies aiming to build the most secure software. By using the concept of encryption workarounds, defined by Kerr and Schneier (2017), as lawful efforts undertaken by governments to reveal unencrypted plaintext of a target’s data, this paper will highlight the intractable path to developing policy responses at the regional and domestic level.

Analysing these bottlenecks that significantly slow down policy formulation will pave the way for a better understanding of the approach that governments should adopt in mitigating technology-driven insecurity. This research effort will be augmented by reflecting on select past examples of governments seeking third-party assistance to decrypt information for the purposes of stemming future criminal or terrorist activity.

Introduction

According to recent estimates, 22 percent of global communication traffic will be protected via end-to-end encryption by 2019. A significant number of popular messaging applications today boast of securing communication on their platforms in this manner, making the information exchanged both inaccessible and unreadable to a third party (Lewis, Zheng, and Carter 2017) ‘End-to-end encryption’ refers to the encryption of messages that are in transit from a sender to a receiver, and while it is not as integrated or widely available as endpoint encryption businesses are developing more user-friendly ways to integrate it into their platforms (The Chertoff Group, 2015). This has easily become one of the defining technological trends in today’s internet landscape.

In August 2018, the governments of the United States, United Kingdom, Canada, Australia, and New Zealand issued a joint statement on principles of access and encryption. The statement reflected on the increasing use and sophistication of certain encryption designs that present challenges for nations in combating serious crimes and threats to national and global security. While recognising that encryption is vital to the digital economy and a secure cyberspace, the statement emphasised pursuing technological or legislative methods when governments face impediments to lawful access to information for the protection of their citizens, according to the document published by the Australian Department of Home Affairs.

Increasingly, policymakers and legislators around the world are responding to the trend of widespread deployment of encryption in devices in order to take down obstacles to accessing private information. Yet, the joint statement, as well as the broader narrative on encryption around the world is precipitated not only by the increased availability of encryption tools. For example, the recent spate of terror attacks in various European cities has largely influenced the debate in countries like France where an amendment that could require electronic manufacturers to build back doors into their products was debated but ultimately rejected by the National Assembly.

With the intention of empowering law enforcement to stem terrorist activities, other member-states of the European Union like Hungary and Poland are issuing new regulations and amendments that increase not only government access to digital data but also the scope of surveillance.

In the US, Edward Snowden’s revelations about mass surveillance by the government had a profound effect on the availability of strong encryption tools; perhaps owing to the need to distinguish governmental activity from commercial products, device manufacturers have deployed default encryption systems that automatically store data in an encrypted manner (The Chertoff Group, 2015).

In August, as Yuthika Bhargava highlighted in her August 23, 2018 The Hindu article, Facebook-owned WhatsApp rejected a demand by the Government of India to find a solution which could trace the origin of a message on its platform. The company argued that traceability would undermine end-to-end encryption and affect the application’s privacy protection duties.

The fact that governments want access to private information for achieving broader national security objectives is not new. However, necessitating assistance from manufacturers of encryption products, and the resulting fundamental discord between government objectives and commercial interests, make the policy process more intractable. This article analyses the bottlenecks to policy formulation that significantly slow down policy formulation, in an effort to pave the way for a better understanding of the approach that governments should adopt in mitigating technology-driven insecurity.

What Constitutes a ‘good’ Encryption Policy?

Encryption policy entails the full array of government activities that guide the development, use, and adoption of encryption technology. It also speaks of a normative judgement on the part of the government about the value of such technology and is underpinned by geopolitical, social, and economic contexts (Budish, Burkert, and Gasser 2018). Therefore, encryption policies can be directly or indirectly used to further certain objectives as they tend to have an impact both domestically and internationally.

A country’s encryption policy can also have ripple effects: given the massive number of interdependencies between international trade, technological trends, and geopolitics, a decision on encryption at the domestic level can impact another country’s public policy, private sector, and regulatory framework.

Encryption policy can be implemented via various tools which are not restricted to only legislation and regulation but also include multilateral treaties, standard-setting through cooperation with all stakeholders, exercising hegemonic status and soft power to influence other governments or corporations to follow similar regulation, and compelling private manufacturers to assist in criminal investigation, respectively.

There are numerous examples of states using one or more of such policy instruments to tackle the increasingly grey areas emerging from the widespread use and deployment of encryption tools.

The Australian government released a draft of the Assistance and Access Bill in August 2018, which provides security agencies with a new set of powers to respond to the challenges posed by encryption. The explanatory document emphasises that 95 percent of the Australian Security Intelligence Organisation’s (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications and therefore, the use of encryption is eroding the ability of law enforcement to access intelligible data.

The bill broadens the obligations of domestic and foreign communication providers—which include device manufacturers, application and software providers, and carriage service providers—to allow access to communication.

Moreover, it introduces new computer access warrants for law enforcement, enabling them to covertly obtain evidence directly from a device, and strengthens the ability of security authorities to overtly access data through the existing search and seizure warrants, according to the document published by the Australian Department of Home Affairs.

The Department of Home Affairs maintains that provisions will only be implemented within caveats like technical feasibility and that providers will not be prevented from fixing existing systemic vulnerabilities. However, there are aspects of the bill that raise significant concerns about transparency, oversight, and accountability structures and processes, as reported by Monique Mann in her August 15, 2018 article in The Conversation. It allows for a relevant government authority to issue a “technical capability notice” that would require a communications provider to build a new capability enabling police access to a device or service.

This, coupled with the massive non-compliance fines makes the Australian bill one of the tougher draft legislations to be discussed by a democratic state, stoking worries of a dangerous precedent for other nations.

In the US in August, law enforcement agencies took Facebook to court to obtain access to a suspect’s voice conversations on their Messenger app; the police were investigating members of the MS-13 gang, as reported by Dan Levine and Joseph Menn in their August 18, 2018 report on Reuters.

Given that Messenger voice calls are encrypted end-to-end, the only way to comply with the government’s demand would be to rewrite the code relied upon by all its users to remove encryption, or else, hack the government’s target.

Similarly, global messaging application WhatsApp, owned by Facebook, has not wavered in its stance against providing traceability to messages, arguing that doing so would rescind one of its key features, i.e., end-to-end encryption, which means the application retains no user data and access to conversations. The Indian government had demanded, among others, traceability of messages following a series of lynchings purportedly caused by the spread of fake news and misinformation through WhatsApp.

These incidents are illustrative for two reasons: they indicate the different tools at a government’s disposal to shape encryption policy directly or indirectly; and they highlight the perpetual disagreement between, on one hand, software companies wanting the highest levels of privacy, and on the other, state forces mandated to promote security.

What, then, constitutes a good or bad encryption policy? Is there a degree of normativity that can be attached to domestic or international policies on encryption?

At the heart of the policy debate on encryption lays the recurring privacy-security narrative that posits a trade-off between the privacy of citizens and the degree to which the state monitors and intercepts communication for keeping them secure. To a large extent, the diffusion of encryption technology to average users has been largely problematised within this dichotomy and informed by the underlying paradox: the less privacy to the individual, the better security for the nation.

However, in the context of encrypted communications, this poses a problem as there simply is not enough data to indicate the extent to which criminal or terrorist investigations have been hampered by encryption tools. Media reports on the November 2015 Paris terror attacks, for example as highlighted by Evan Perez and Shimon Prokupecz in their December 17, 2015 report in CNN, quote government officials as saying that the suspects had used encrypted messaging applications to communicate with each other. In the US, the Federal Bureau of Investigation (FBI) has taken Apple to court to gain access to the smartphone of one of the suspects in the December 2015 mass shooting in San Bernardino, as reported by Ellen Nakashima in her April 16, 2016 article in The Washington Post.

While the ubiquitous nature of encryption will be an impediment to successful law enforcement processes and its use could greatly increase in the future, there is currently a lack of empirical data that shows the magnitude of its impact. Caution must be exercised, therefore, when attributing the role of encrypted technologies in foiling overall national security objectives; any policy framework must reflect such consideration.

Encryption Workarounds in the Context of Policy Development

In the context of criminal investigations and the larger question of the impact of encrypted communications, there is another dimension that merits consideration: the existence of encryption workarounds. Defined by Kerr and Schneier (2017) as any lawful government effort to reveal unencrypted plaintext of a target’s data that has been concealed by encryption, the use of encryption workarounds raises significant legal and practical hurdles.

The most important takeaway, however, is that the existence of workarounds could mean that encryption does not cause as remarkable a shift in law enforcement’s investigative powers as thought of. Whenever targets use encryption, governments turn to a set of tools and methods to remove the barrier that denies access to private information. Kerr and Schneier identify six of them—the first three are key-based methods that rely on finding, guessing, or compelling the key which then allows decryption; the latter three focus on government efforts to exploit a flaw in the encryption system, accessing plaintext when the target’s device is in use, and locating a copy of the plaintext.

Each of these methods brings forth certain tradeoffs and raises questions that need to be addressed by future legal and policy frameworks on encryption. For example, accessing plaintext when the target’s device is in use by gaining remote access through technical means, brings with it legal ambiguities on government hacking. There are also substantial privacy and human rights implications associated with this method, including the risk of a paucity of oversight, accountability, and transparency (European Digital Rights 2017).

Similarly, governments can exploit a flaw in the encryption scheme as was illustrated in the San Bernardino terrorist attack. After Apple refused to comply with the FBI’s request to disable the auto-erase feature on the iPhone, the bureau reportedly sought third-party assistance. This brought forth the question of government stockpiling vulnerabilities and whether the government should have disclosed the vulnerability, so Apple could patch it.

Despite the host of ethical, legal, and technical challenges, governments have encryption workarounds at their disposal and they are used, sometimes in combination, to counter encryption barriers.

Security concerns with respect to weakening encryption, in the form of providing exceptional encryption access, for example, have been well-documented and substantiated by security researchers, and recognised—in principle at least—by most governments. ‘Exceptional access’ is defined as giving an individual or organisation access to readable data someone has encrypted and required that the third party be granted access to the plaintext data associated with encrypted data (Vandenberg 2018).

Building on any form of exceptional access would significantly increase system complexity and features to permit such access to law enforcement could be challenging given that their use would be surreptitious (Abelson et al. 2015).

Therefore, creating an exceptional access system with encryption accessible to government authorities and law enforcement officials but not to malicious actors, would be technically impossible or complex enough to implement that the overall safety of communications would suffer (The Chertoff Group 2015). Such an exceptional access system would also compel companies to possibly relinquish best practices developed to make the internet and interactions through it more secure.

With forward secrecy, for example, a new session key is generated for each session that a user initiates which greatly reduces the exposure of an entity that has been compromised. Since the session keys are discarded after each session, any attacker breaching a network can only gain access to decrypted data from the breach until the breach is discovered, rendering historic data safe (Abelson et al. 2015). Therefore, mandating weaknesses in encrypted systems would not only increase vulnerabilities but also hinder innovation and development of security markets.

Challenges to Formulating Encryption Policies

Given the myriad of technical, legal, practical, and ethical questions regarding the use of encrypted technologies and exceptional access to data, there are a number of obstacles that affect policy development at the domestic, regional, and international level. Owing to the global nature of the internet and involvement of actors across countries in availability and development of interconnected communication platforms, the effects of these bottlenecks cannot be clearly delineated at each level given considerable overlaps.

The first set of challenges arises over the question of jurisdiction. Attempting to develop any international access framework and requiring communication providers to guarantee access to numerous government agencies in countries that do not necessarily have the same legal framework would be extremely complex.

Having one set of internationally defined conditions under which lawful access to encrypted communications can be granted would be an immensely arduous undertaking, not least due to the differing approaches of nation-states on freedom of communications, access to the internet, and regulation of cyberspace.

There are unanswered questions regarding enforcement and compliance, illustrated in the ongoing discussions between WhatsApp and the Indian government—is it feasible for a government to mandate a feature like traceability across all applications that are used within its jurisdiction? Not only would it be difficult to get companies to comply with such a rule but mandating it would simply spur an increased use in applications like Tor or an increased use of VPNs, providing alternate methods of secure communication.

Any aggressive enforcement would also negatively affect innovation and industry. The Australian Assistance and Access bill is an example of domestic policies having competing regulations to regional ones as certain parts of the bill can compel companies to override the General Data Protection Regulation (GDPR) terms in Europe and hand data over to Australian law enforcement, as reported by Chris Duckett in his September 11, 2018 article on ZDNet. Cross-border regulatory differences, therefore, pose an intractable barrier to developing a universally enforceable and accepted encryption policy.

The fundamental discord between incentives of the private sector—including service providers, vendors, manufactures, and software developers—to enhance the security of communications and the larger national security objectives of the government will continue to be a point of contention. A host of new developments discussed earlier in this paper, represent a technological trend aimed at providing the highest level of privacy and security of communications to the average user. Encryption technology aims to create barriers to third-party access, a property that is in the interests of law enforcement to counter during criminal investigations. The San Bernardino case is a prime example of this and there continue to be more such instances.

Therefore, the extent to which third-party assistance can be mandated and necessitated by governments will be crucial. The question of jurisdiction is relevant here as well—can foreign companies be required to fundamentally alter essential features of their application, like default end-to-end encryption for example, depending on where they operate?

The third set of obstacles to encryption policy formulation raises ethical and normative considerations. While this paper has established that moving beyond the privacy-security dichotomy is crucial to developing a comprehensive approach to policy development in this area, encryption policy reflects a normative judgement on the part of the government about the value of such technology.

There is a continual strain of thinking on the part of governments to gain access to encrypted communication without breaking encryption or introducing systemic vulnerabilities. Respecting trust, cooperation, and innovation in the internet ecosystem and to all stakeholders forms the benchmark of democratic digital policies. While states have recognised the significance of encryption in ensuring safe and secure communication, the implications of legislation, if it seeks to counter such provisions, on democratic values, would need to be carefully considered.

Conclusions

As businesses develop user-friendly ways to integrate end-to-end encryption and adopt operational systems that change default local encryption setting from ‘off’ to ‘on’, aiming for the highest level of privacy and security for the user, governments face increasing barriers of lawfully accessing citizens’ private information.

The recent spate of terrorist attacks in Europe have largely influenced policy discussions, stoking fears that encrypted communications will significantly restrict governments’ abilities to successfully stem terrorist and criminal activities. The misuse of messaging platforms by rapidly spreading misinformation has started to fuel similar conversations in India.

However, lack of sufficient data on the impact of encryption on criminal investigations and the existence of encryption workarounds at the disposal of the government may point to a less dramatic shift in governments’ investigative powers than currently perceived. This also necessitates a move beyond the privacy-versus-security dichotomy that the policy debate on encryption lays within. Security concerns and the detrimental impact on innovation and industry of weakening encryption or enabling exceptional encryption access have been well-documented.

These technical, legal, and practical considerations highlight the considerable hindrances to policy development in the field of encryption.

There are unresolved issues with respect to jurisdiction and legitimacy of an internationally-enforceable encryption policy framework. The fundamental discord between incentives of the private sector, including service providers, vendors, manufactures, and software developers, to enhance the security of communications and the larger national security objectives of the government will continue to be a point of contention. Encryption policy debates also bring forth ethical concerns and the significance of a normative judgement that a state attaches to the value of such technology, particularly in protecting democratic principles.

The dialogue on encryption, therefore, is part of a much larger debate on security, accountability, and responsibility of internet tools. Developing an encryption policy that recognises the principles of mutual trust and responsibility between all stakeholders and accounts for the commercial interests of private companies, state security objectives, and safe online communications for the individual user will define efforts at the national, regional, and international level.


The article was originally published in The Visio Journal 3 (2018)


This paper was originally published in Digital Debates, a journal by the Observer Research Foundation on October 4, 2018.


References

Bhargava, Yuthika. 2018. “Whatsapp rejects India’s demand to trace origin of message,” The Hindu, August 23. https://www.thehindu.com/sci-tech/technology/whatsapp-rejects-indias-demand-to-track-origin-of-message/article24761366.ece.

Budish, Ryan., Burkert, Herbert., and Urs Gasser. 2018. Encryption Policy and its International Impacts: A Framework for Understanding Extraterritorial Ripple Effects. Hoover Institution. https://www.hoover.org/research/encryption-policy-and-its-international-impacts.

Department of Home Affairs, Government of Australia. 2018. Assistance and Access Bill 2018. https://www.homeaffairs.gov.au/consultations/Documents/explanatory-document.pdf.

Department of Home Affairs, Government of Australia. 2018. Statement of Principles on Access to Evidence and Encryption. https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption.

Duckett, Chris. 2018. “Internet Architecture Board warns Australian encryption-busting laws could fragment the internet,” ZDNet, September 11. https://www.zdnet.com/article/internet-architecture-board-warns-australian-encryption-busting-laws-could-fragment-the-internet/.

Vandenberg, Dustin T. 2018. “Encryption Served Three Ways: Disruptiveness as the Key to Exceptional Access,” Berkeley Technology Journal Law Journal 32 (4): 531-562. https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2167&context=btlj.

European Digital Rights. 2017. “Encryption Workarounds: A Digital Rights Perspective” https://edri.org/files/encryption/workarounds_edriposition_20170912.pdf.

Abelson, Harold, et al. 2015. “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications”, MIT Computer Science and Artificial Intelligence Lab. https://dspace.mit.edu/handle/1721.1/97690.

Kerr, Orin S., and Schneier, Bruce. 2017. “Encryption Workarounds.” Georgetown Law Journal 106: 989-1019. https://ssrn.com/abstract=2938033.

Lewis, James A., Zheng, Denise E., Carter, and A. William. 2017. The Effect of Encryption on Lawful Access to Communications and Data. Washington, D.C.: CSIS and Rowman & Littlefield. https://www.csis.org/analysis/effect-encryption-lawful-access-communications-and-data.

Mann, Monique. 2018. “The devil is in the detail of government bill to enable access to communications data.” The Conversation, August 15. https://theconversation.com/the-devil-is-in-the-detail-of-government-bill-to-enable-access-to-communications-data-96909

Nakashima, Ellen. 2016. “FBI paid professional hackers one-time fee to crack San Bernardino iPhone.” The Washington Post, April 12. https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html.

Perez, Evan, and Shimon Prokupecz. 2015. “Paris attacker likely used encrypted apps, officials say,” CNN, 17 December. http://www.cnn.com/2015/12/17/politics/paris-attacks-terrorists-encryption.

The Chertoff Group. 2015. The Ground Truth About Encryption. https://www.chertoffgroup.com/files/238024-282765.groundtruth.pdf.

Anushka Kaushik
Visio Institut