Good morn­ing, every­body. Thank you for being here today. A spe­cial thank you to New America for host­ing this event and for bring­ing us all togeth­er on what con­tin­ues to be, and prob­a­bly will for the fore­see­able future con­tin­ue to be an incred­i­bly impor­tant top­ic. As Ross said, my name is Amie Stepanovich. I am US pol­i­cy man­ag­er at Access Now.

Access Now is a glob­al civ­il soci­ety orga­ni­za­tion that fights to extend and defend the rights of users at risk around the world. Along with my col­leagues in six dif­fer­ent offices and sev­er­al satel­lite pres­ences, we respond to threats as they emerge. This means that a lot of times we meet with high-level com­pa­ny exec­u­tives or gov­ern­ment offi­cials to talk about how laws and poli­cies influ­ence the end user. And then we also work direct­ly with the end user through a twenty-four hour a day sev­en days a week dig­i­tal secu­ri­ty helpline that allows jour­nal­ists or activists to con­tact a tech­nol­o­gy spe­cial­ist and talk about the risks that they are fac­ing. And whether or not it’s through the top-down or through the bottom-up, one of the issues we con­tin­ue to grap­ple with is the abil­i­ty to use and devel­op encryption.

Encryption is a key piece of a robust enter­prise approach to cyber­se­cu­ri­ty. It keeps down the num­ber of data breach­es as the scale and the size of data breach­es con­tin­ues only to grow. It also is the first line of defense that users have against peo­ple access­ing their data on an indi­vid­ual level. 

Important for Access Now is that encryp­tion also pro­tects human rights. In a 2015 report by David Kaye, who’s the UN Special Rapporteur for free­dom of expres­sion, he specif­i­cal­ly tied encryp­tion to the abil­i­ty of users to freely exer­cise their free­dom of expres­sion and their pri­va­cy rights.

Users around the world use encryp­tion in order to com­mu­ni­cate, to orga­nize, and to live their lives away from gov­ern­ment per­se­cu­tion or unau­tho­rized bad actors. For exam­ple, LGBT indi­vid­u­als in the Middle East/North Africa region, the MINA region, use encryp­tion in order to com­mu­ni­cate with peo­ple in order to explore their iden­ti­ties in order to be free of gov­ern­ment persecution.

By con­trast, there’s a spe­cif­ic exam­ple of an activist in Mexico who ran a Twitter account that crit­i­cized the drug car­tels. And when the drug car­tels were able to get a hold of her cell phone, they were able to tie her specif­i­cal­ly to that Twitter account, and she actu­al­ly was hor­ri­bly mur­dered because of her con­nec­tion, because of infor­ma­tion they were able to get off of her cell phone. Encryption, and par­tic­u­lar­ly robust end-to-end encryp­tion by default, pro­vides these users with the best line of defense against real­ly bad things happening.

So, what’s the prob­lem? Governments want access to con­tent. And depend­ing on what gov­ern­ment you’re talk­ing about, that could be bulk access, that could be tar­get­ed access, it could be accessed with a lot of pro­tec­tions for human rights, or access with no pro­tec­tions and no notice for human rights what­so­ev­er. But real­ly, across the board, the one thing you can rely on is that gov­ern­ments are going to want access. And some of the most secure ser­vices out there are designed in a way to pre­vent that access.

Mandates increase the cost of doing busi­ness. They increase the sys­tem com­plex­i­ty, which is the ene­my of secu­ri­ty. They force a u‑turn from best prac­tices to make the Internet more secure. And they attract bad actors, accord­ing to a report last year by some of the most not­ed cryp­tog­ra­phers of our time. These are the man­dates that gov­ern­ments are turn­ing to in order to main­tain access in the face of encryp­tion. And the man­dates are pop­ping up every­where. So, for the rest my time in going to talk a lit­tle bit about a sur­vey that we’ve done and we con­tin­ue to do about where these man­dates are pop­ping up and what they look like. Because they take all dif­fer­ent forms.

Many of you are going to be very famil­iar with the debate that’s hap­pen­ing in the United States. In fact, there’s a pan­el lat­er talk­ing about Apple vs. FBI, because the new front on the cryp­to debate in the US is real­ly a set of courts in New York in California where we’re fight­ing over All Writs Act. In fact, I think it’s been esti­mat­ed to me by sev­er­al inde­pen­dent peo­ple that there were more ami­cus briefs filed in the Apple case in San Bernardino in the Central District of California than any oth­er mag­is­trate court­room ever. There are so many peo­ple weigh­ing in on this issue and there so many inter­ests at stake that every­body is real­ly get­ting involved.

But the US isn’t actually—oddly enough—the place where the most-heated dis­cus­sions are hap­pen­ing. I believe that actu­al hon­or goes to the United Kingdom, which is debat­ing the Investigatory Powers Act. Amongst many pro­vi­sions in that bill, which seeks to update and to com­press and expand all the sur­veil­lance author­i­ties for the UK, it con­tains a pro­vi­sion that would allow the Secretary of State for the UK to require com­pa­nies to build in cer­tain mech­a­nisms to allow con­tin­ued gov­ern­ment access to infor­ma­tion. That pro­vi­sion went from the draft pro­pos­al into the pro­pos­al that was intro­duced into Parliament, despite broad oppo­si­tion from civ­il soci­ety, from com­pa­nies, and indi­ca­tions from sev­er­al Parliamentary com­mit­tees that reviewed the leg­is­la­tion that an excep­tion need­ed to be made for end-to-end encryp­tion. No such excep­tion end­ed up in the final prod­uct. And because that bill will have extrater­ri­to­r­i­al effect, it won’t only affect com­pa­nies in the UK, it’s going to affect every­body all over the world.

Another approach we’re see­ing, Rwanda requires that providers main­tain the abil­i­ty to decrypt infor­ma­tion upon request. China also passed a law in December that requires essen­tial­ly the same thing, that providers main­tain the abil­i­ty to decrypt infor­ma­tion. And the upper lim­it, the upper fine, in China for a seri­ous vio­la­tion of that require­ment? There is no upper lim­it. Companies can be fined as much as the Chinese gov­ern­ment would like for using strong end-to-end encryp­tion. Columbia, since the 1990s actu­al­ly, has out­right banned the use of encryp­tion by users. It’s ten­able how that is being enforced. The fun­ny thing is, is there’s a sep­a­rate law that requires in Colombia that encryp­tion be made avail­able to gov­ern­ment and intel­li­gence offi­cials, whilst every­day users are banned from using it.

Just last year, Kazakhstan start­ed requir­ing that users install what they’re call­ing nation­al secu­ri­ty cer­tifi­cates” on their end devices, report­ed­ly to allow the gov­ern­ment to work its way around the encryp­tion. This is the actu­al basic back­door piece. They’re requir­ing that to be installed on end users’ com­put­er. The New York Times tried to look into this, and when they quizzed a nation­al tele­com in Kazakhstan, they pulled the notice down, so we actu­al­ly don’t know where that pol­i­cy is. Russia also can require providers to insert back­doors onto their end devices.

And then we saw just this last month, prob­a­bly the most trou­bling approach to this was in Brazil, where they arrest­ed a Vice President of Facebook for not pro­vid­ing WhatsApp mes­sages to the Brazilian gov­ern­ment. Messages that were report­ed­ly end-to-end encrypt­ed and could­n’t be pro­vid­ed because Facebook did­n’t have access to those mes­sages. France is also con­sid­er­ing the same approach.

The rea­son that we say this is so dan­ger­ous is because you’re not going to find the pos­si­bil­i­ty for jail time in any com­pa­ny’s ben­e­fits pack­age. This is not a way to attract top tal­ent, is to put your exec­u­tives at risk for being put into prison because you’re using encryp­tion, which actu­al­ly dis­in­cen­tivizes the use of encryption. 

And then there are the poli­cies that don’t make sense at all. In India they actu­al­ly pulled a draft encryp­tion pol­i­cy the same day last year as they pub­lished it. The pol­i­cy allowed the use of encryp­tion, talked about how good encryp­tion was, and then required that the plain­text ver­sion of any encrypt­ed text be stored right along­side the encrypt­ed text. [audi­ence laugh­ter] That’s exact­ly the reac­tion you should have to that, so they pulled that down.

We’re try­ing to work glob­al­ly to respond to this. We launched securethein​ter​net​.org with orga­ni­za­tions from forty dif­fer­ent com­pa­nies sign­ing onto it, experts, com­pa­nies all over the world try­ing to pro­vide a glob­al response to this glob­al prob­lem. Because we’re scared that with too many man­dates, the entire bot­tom might fall out of the sys­tem we’ve cre­at­ed, and all the ben­e­fits of encryp­tion are going to be for naught. Thank you. 

Further Reference

The Cybersecurity for a New America event home page