Good morning, everybody. Thank you for being here today. A special thank you to New America for hosting this event and for bringing us all together on what continues to be, and probably will for the foreseeable future continue to be an incredibly important topic. As Ross said, my name is Amie Stepanovich. I am US policy manager at Access Now.
Access Now is a global civil society organization that fights to extend and defend the rights of users at risk around the world. Along with my colleagues in six different offices and several satellite presences, we respond to threats as they emerge. This means that a lot of times we meet with high-level company executives or government officials to talk about how laws and policies influence the end user. And then we also work directly with the end user through a twenty-four hour a day seven days a week digital security helpline that allows journalists or activists to contact a technology specialist and talk about the risks that they are facing. And whether or not it’s through the top-down or through the bottom-up, one of the issues we continue to grapple with is the ability to use and develop encryption.
Encryption is a key piece of a robust enterprise approach to cybersecurity. It keeps down the number of data breaches as the scale and the size of data breaches continues only to grow. It also is the first line of defense that users have against people accessing their data on an individual level.
Important for Access Now is that encryption also protects human rights. In a 2015 report by David Kaye, who’s the UN Special Rapporteur for freedom of expression, he specifically tied encryption to the ability of users to freely exercise their freedom of expression and their privacy rights.
Users around the world use encryption in order to communicate, to organize, and to live their lives away from government persecution or unauthorized bad actors. For example, LGBT individuals in the Middle East/North Africa region, the MINA region, use encryption in order to communicate with people in order to explore their identities in order to be free of government persecution.
By contrast, there’s a specific example of an activist in Mexico who ran a Twitter account that criticized the drug cartels. And when the drug cartels were able to get a hold of her cell phone, they were able to tie her specifically to that Twitter account, and she actually was horribly murdered because of her connection, because of information they were able to get off of her cell phone. Encryption, and particularly robust end-to-end encryption by default, provides these users with the best line of defense against really bad things happening.
So, what’s the problem? Governments want access to content. And depending on what government you’re talking about, that could be bulk access, that could be targeted access, it could be accessed with a lot of protections for human rights, or access with no protections and no notice for human rights whatsoever. But really, across the board, the one thing you can rely on is that governments are going to want access. And some of the most secure services out there are designed in a way to prevent that access.
Mandates increase the cost of doing business. They increase the system complexity, which is the enemy of security. They force a u‑turn from best practices to make the Internet more secure. And they attract bad actors, according to a report last year by some of the most noted cryptographers of our time. These are the mandates that governments are turning to in order to maintain access in the face of encryption. And the mandates are popping up everywhere. So, for the rest my time in going to talk a little bit about a survey that we’ve done and we continue to do about where these mandates are popping up and what they look like. Because they take all different forms.
Many of you are going to be very familiar with the debate that’s happening in the United States. In fact, there’s a panel later talking about Apple vs. FBI, because the new front on the crypto debate in the US is really a set of courts in New York in California where we’re fighting over All Writs Act. In fact, I think it’s been estimated to me by several independent people that there were more amicus briefs filed in the Apple case in San Bernardino in the Central District of California than any other magistrate courtroom ever. There are so many people weighing in on this issue and there so many interests at stake that everybody is really getting involved.
But the US isn’t actually—oddly enough—the place where the most-heated discussions are happening. I believe that actual honor goes to the United Kingdom, which is debating the Investigatory Powers Act. Amongst many provisions in that bill, which seeks to update and to compress and expand all the surveillance authorities for the UK, it contains a provision that would allow the Secretary of State for the UK to require companies to build in certain mechanisms to allow continued government access to information. That provision went from the draft proposal into the proposal that was introduced into Parliament, despite broad opposition from civil society, from companies, and indications from several Parliamentary committees that reviewed the legislation that an exception needed to be made for end-to-end encryption. No such exception ended up in the final product. And because that bill will have extraterritorial effect, it won’t only affect companies in the UK, it’s going to affect everybody all over the world.
Another approach we’re seeing, Rwanda requires that providers maintain the ability to decrypt information upon request. China also passed a law in December that requires essentially the same thing, that providers maintain the ability to decrypt information. And the upper limit, the upper fine, in China for a serious violation of that requirement? There is no upper limit. Companies can be fined as much as the Chinese government would like for using strong end-to-end encryption. Columbia, since the 1990s actually, has outright banned the use of encryption by users. It’s tenable how that is being enforced. The funny thing is, is there’s a separate law that requires in Colombia that encryption be made available to government and intelligence officials, whilst everyday users are banned from using it.
Just last year, Kazakhstan started requiring that users install what they’re calling “national security certificates” on their end devices, reportedly to allow the government to work its way around the encryption. This is the actual basic backdoor piece. They’re requiring that to be installed on end users’ computer. The New York Times tried to look into this, and when they quizzed a national telecom in Kazakhstan, they pulled the notice down, so we actually don’t know where that policy is. Russia also can require providers to insert backdoors onto their end devices.
And then we saw just this last month, probably the most troubling approach to this was in Brazil, where they arrested a Vice President of Facebook for not providing WhatsApp messages to the Brazilian government. Messages that were reportedly end-to-end encrypted and couldn’t be provided because Facebook didn’t have access to those messages. France is also considering the same approach.
The reason that we say this is so dangerous is because you’re not going to find the possibility for jail time in any company’s benefits package. This is not a way to attract top talent, is to put your executives at risk for being put into prison because you’re using encryption, which actually disincentivizes the use of encryption.
And then there are the policies that don’t make sense at all. In India they actually pulled a draft encryption policy the same day last year as they published it. The policy allowed the use of encryption, talked about how good encryption was, and then required that the plaintext version of any encrypted text be stored right alongside the encrypted text. [audience laughter] That’s exactly the reaction you should have to that, so they pulled that down.
We’re trying to work globally to respond to this. We launched securetheinternet.org with organizations from forty different companies signing onto it, experts, companies all over the world trying to provide a global response to this global problem. Because we’re scared that with too many mandates, the entire bottom might fall out of the system we’ve created, and all the benefits of encryption are going to be for naught. Thank you.
Further Reference
The Cybersecurity for a New America event home page