Good morn­ing, every­body. Thank you for being here today. A spe­cial thank you to New America for host­ing this event and for bring­ing us all togeth­er on what con­tin­ues to be, and prob­a­bly will for the fore­see­able future con­tin­ue to be an incred­i­bly impor­tant top­ic. As Ross said, my name is Amie Stepanovich. I am US pol­i­cy man­ag­er at Access Now.

Access Now is a glob­al civ­il soci­ety orga­ni­za­tion that fights to extend and defend the rights of users at risk around the world. Along with my col­leagues in six dif­fer­ent offices and sev­er­al satel­lite pres­ences, we respond to threats as they emerge. This means that a lot of times we meet with high-level com­pa­ny exec­u­tives or gov­ern­ment offi­cials to talk about how laws and poli­cies influ­ence the end user. And then we also work direct­ly with the end user through a twenty-four hour a day sev­en days a week dig­i­tal secu­ri­ty helpline that allows jour­nal­ists or activists to con­tact a tech­nol­o­gy spe­cial­ist and talk about the risks that they are fac­ing. And whether or not it’s through the top-down or through the bottom-up, one of the issues we con­tin­ue to grap­ple with is the abil­i­ty to use and devel­op encryption.

Encryption is a key piece of a robust enter­prise approach to cyber­se­cu­ri­ty. It keeps down the num­ber of data breach­es as the scale and the size of data breach­es con­tin­ues only to grow. It also is the first line of defense that users have against peo­ple access­ing their data on an indi­vid­ual level. 

Important for Access Now is that encryp­tion also pro­tects human rights. In a 2015 report by David Kaye, who’s the UN Special Rapporteur for free­dom of expres­sion, he specif­i­cal­ly tied encryp­tion to the abil­i­ty of users to freely exer­cise their free­dom of expres­sion and their pri­va­cy rights.

Users around the world use encryp­tion in order to com­mu­ni­cate, to orga­nize, and to live their lives away from gov­ern­ment per­se­cu­tion or unau­tho­rized bad actors. For exam­ple, LGBT indi­vid­u­als in the Middle East/North Africa region, the MINA region, use encryp­tion in order to com­mu­ni­cate with peo­ple in order to explore their iden­ti­ties in order to be free of gov­ern­ment persecution.

By con­trast, there’s a spe­cif­ic exam­ple of an activist in Mexico who ran a Twitter account that crit­i­cized the drug car­tels. And when the drug car­tels were able to get a hold of her cell phone, they were able to tie her specif­i­cal­ly to that Twitter account, and she actu­al­ly was hor­ri­bly mur­dered because of her con­nec­tion, because of infor­ma­tion they were able to get off of her cell phone. Encryption, and par­tic­u­lar­ly robust end-to-end encryp­tion by default, pro­vides these users with the best line of defense against real­ly bad things happening.

So, what’s the prob­lem? Governments want access to con­tent. And depend­ing on what gov­ern­ment you’re talk­ing about, that could be bulk access, that could be tar­get­ed access, it could be accessed with a lot of pro­tec­tions for human rights, or access with no pro­tec­tions and no notice for human rights what­so­ev­er. But real­ly, across the board, the one thing you can rely on is that gov­ern­ments are going to want access. And some of the most secure ser­vices out there are designed in a way to pre­vent that access.

Mandates increase the cost of doing busi­ness. They increase the sys­tem com­plex­i­ty, which is the ene­my of secu­ri­ty. They force a u‑turn from best prac­tices to make the Internet more secure. And they attract bad actors, accord­ing to a report last year by some of the most not­ed cryp­tog­ra­phers of our time. These are the man­dates that gov­ern­ments are turn­ing to in order to main­tain access in the face of encryp­tion. And the man­dates are pop­ping up every­where. So, for the rest my time in going to talk a lit­tle bit about a sur­vey that we’ve done and we con­tin­ue to do about where these man­dates are pop­ping up and what they look like. Because they take all dif­fer­ent forms.

Many of you are going to be very famil­iar with the debate that’s hap­pen­ing in the United States. In fact, there’s a pan­el lat­er talk­ing about Apple vs. FBI, because the new front on the cryp­to debate in the US is real­ly a set of courts in New York in California where we’re fight­ing over All Writs Act. In fact, I think it’s been esti­mat­ed to me by sev­er­al inde­pen­dent peo­ple that there were more ami­cus briefs filed in the Apple case in San Bernardino in the Central District of California than any oth­er mag­is­trate court­room ever. There are so many peo­ple weigh­ing in on this issue and there so many inter­ests at stake that every­body is real­ly get­ting involved.

But the US isn’t actually—oddly enough—the place where the most-heated dis­cus­sions are hap­pen­ing. I believe that actu­al hon­or goes to the United Kingdom, which is debat­ing the Investigatory Powers Act. Amongst many pro­vi­sions in that bill, which seeks to update and to com­press and expand all the sur­veil­lance author­i­ties for the UK, it con­tains a pro­vi­sion that would allow the Secretary of State for the UK to require com­pa­nies to build in cer­tain mech­a­nisms to allow con­tin­ued gov­ern­ment access to infor­ma­tion. That pro­vi­sion went from the draft pro­pos­al into the pro­pos­al that was intro­duced into Parliament, despite broad oppo­si­tion from civ­il soci­ety, from com­pa­nies, and indi­ca­tions from sev­er­al Parliamentary com­mit­tees that reviewed the leg­is­la­tion that an excep­tion need­ed to be made for end-to-end encryp­tion. No such excep­tion end­ed up in the final prod­uct. And because that bill will have extrater­ri­to­r­i­al effect, it won’t only affect com­pa­nies in the UK, it’s going to affect every­body all over the world.

Another approach we’re see­ing, Rwanda requires that providers main­tain the abil­i­ty to decrypt infor­ma­tion upon request. China also passed a law in December that requires essen­tial­ly the same thing, that providers main­tain the abil­i­ty to decrypt infor­ma­tion. And the upper lim­it, the upper fine, in China for a seri­ous vio­la­tion of that require­ment? There is no upper lim­it. Companies can be fined as much as the Chinese gov­ern­ment would like for using strong end-to-end encryp­tion. Columbia, since the 1990s actu­al­ly, has out­right banned the use of encryp­tion by users. It’s ten­able how that is being enforced. The fun­ny thing is, is there’s a sep­a­rate law that requires in Colombia that encryp­tion be made avail­able to gov­ern­ment and intel­li­gence offi­cials, whilst every­day users are banned from using it.

Just last year, Kazakhstan start­ed requir­ing that users install what they’re call­ing nation­al secu­ri­ty cer­tifi­cates” on their end devices, report­ed­ly to allow the gov­ern­ment to work its way around the encryp­tion. This is the actu­al basic back­door piece. They’re requir­ing that to be installed on end users’ com­put­er. The New York Times tried to look into this, and when they quizzed a nation­al tele­com in Kazakhstan, they pulled the notice down, so we actu­al­ly don’t know where that pol­i­cy is. Russia also can require providers to insert back­doors onto their end devices.

And then we saw just this last month, prob­a­bly the most trou­bling approach to this was in Brazil, where they arrest­ed a Vice President of Facebook for not pro­vid­ing WhatsApp mes­sages to the Brazilian gov­ern­ment. Messages that were report­ed­ly end-to-end encrypt­ed and could­n’t be pro­vid­ed because Facebook did­n’t have access to those mes­sages. France is also con­sid­er­ing the same approach.

The rea­son that we say this is so dan­ger­ous is because you’re not going to find the pos­si­bil­i­ty for jail time in any com­pa­ny’s ben­e­fits pack­age. This is not a way to attract top tal­ent, is to put your exec­u­tives at risk for being put into prison because you’re using encryp­tion, which actu­al­ly dis­in­cen­tivizes the use of encryption. 

And then there are the poli­cies that don’t make sense at all. In India they actu­al­ly pulled a draft encryp­tion pol­i­cy the same day last year as they pub­lished it. The pol­i­cy allowed the use of encryp­tion, talked about how good encryp­tion was, and then required that the plain­text ver­sion of any encrypt­ed text be stored right along­side the encrypt­ed text. [audi­ence laugh­ter] That’s exact­ly the reac­tion you should have to that, so they pulled that down.

We’re try­ing to work glob­al­ly to respond to this. We launched securethein​ter​net​.org with orga­ni­za­tions from forty dif­fer­ent com­pa­nies sign­ing onto it, experts, com­pa­nies all over the world try­ing to pro­vide a glob­al response to this glob­al prob­lem. Because we’re scared that with too many man­dates, the entire bot­tom might fall out of the sys­tem we’ve cre­at­ed, and all the ben­e­fits of encryp­tion are going to be for naught. Thank you. 

Further Reference

The Cybersecurity for a New America event home page

Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Cash App, or even just sharing the link. Thanks.