Remarks at IGF 2017 Session on Encryption

The following are my opening remarks for the encryption panel during the IGF 2017 main session, "Local interventions, global impacts: How can international, multistakeholder cooperation address Internet disruptions, encryption, and data flows?"

Encryption is not a security threat. It promotes public security, using "public" both in the sense of the state, and of individuals.
It is vital that the world’s democracies respect and support the use of strong encryption for both communications and stored data. That is true for at least two reasons.
The first reason is that encryption is very important to human rights. It protects activists; dissidents; journalists; NGO workers; and religious, ethnic, sexual, and political minorities, from governments that do not respect human rights. So, if a democracy that purports to respect human rights, stands up and says “we do not support strong encryption,” that makes it easier for oppressive countries to say “neither do we.” And if those countries undermine encryption, if they make it harder to use strong encryption in devices, or apps and other software, or web traffic, then the people they persecute within their borders will have weaker security, and so they are at greater risk of persecution from their governments. That is, if a democracy says it supports human rights but refuses to support strong encryption, it is giving cover to oppressive countries to carry out the very persecution the democracy says it abhors. And it has given up the moral standing to push back against that persecution. If a democracy says, "We need to weaken encryption so we can investigate crime," it is harder for it to criticize a repressive regime that does the same thing, but the crime it's investigating is saying something bad about the king, or being gay.
The second reason is that our countries are all interconnected. We might use a mobile device made in one country, running an OS made in country #2, and on that mobile OS we might use an app made in country #3 to access our account on a server physically located in country #4. And maybe we personally are located in none of those countries!
So, if one country bans strong encryption, and a company in that country weakens its service’s encryption to comply with the law, that undermines the security of all of the users worldwide, not just the users in-jurisdiction. Information security is a global matter. 
And it's also a temporal matter. Mandates to undermine encryption now, will have unknowable negative security consequences in the future for years to come. We have already seen how the USA's previous regulations on export-grade encryption had security impacts years after the US lifted those export restrictions.
And there is a flip side, too: If one country bans strong encryption, but other countries do not, then some entities will move to those latter jurisdictions so they can keep doing business without weakening their products’ encryption, and so they don’t lose users. This makes the first country’s ban kind of pointless! All it did was push the entity the country wanted to regulate to a place outside the reach of the country's laws. That may not even keep its citizens from accessing those encrypted products and services, because they're still available from abroad. Or, if their country blocks the encrypted service, users there may turn to less secure alternatives. That is, the country is harming its own citizens' security.
Inducing entities to move to another jurisdiction also puts those users at the mercy of whatever the new host country’s laws are. Maybe the new country does not ban strong encryption, but maybe it has other laws about cybersecurity or privacy or bulk surveillance or data localization or restrictions on free expression that will still end up affecting those users, assuming the entity complies with its new host country's laws.
So, if the world’s democracies chase away the developers of encrypted devices and services, off to countries that have laws the democracies aren’t OK with, the democracies can end up subjecting their own citizens to those other countries’ laws, as an unintended consequence of their own laws about encryption.
That is why it is important for democratic countries that have a strong rule of law to realize that strong encryption promotes the rule of law, it does not undermine it as so many law enforcement officials in democratic countries are fond of saying.

Add new comment