In a speech last week, Attorney-General William Barr began again to push for a law that would oblige U.S. businesses to decrypt people’s data if the government told them to. This is far from the first time that U.S. law enforcement officials have demanded such a law.
What’s different now is that the U.S. initiative is just one initiative among many: Other governments also are pressing for similar authorities. Why is this happening now, and why so many countries? Here’s what these initiatives have in common, and how they differ in critical ways.
Other countries are pushing back against encryption
The Trump administration’s arguments for a ban on uncrackable encryption may sound more like Beijing than ordinary D.C. politics. But other countries are making similar demands. In Australia, the government rushed through a new law at the end of last year giving it the authority to force companies to decrypt data, including by requiring them to “creat[e] a new interception capability.” In Germany, a similar proposal by its minister for interior this spring encountered significant pushback by civil society and the hacker community.
A series of international briefs prepared by local and area experts at the request of the Encryption Working Group, convened by Princeton University’s Center for Information Technology Policy and the Carnegie Endowment for International Peace, makes it clear though that there are significant common trends across these countries – but important differences, too.
These are the trends shaping the encryption debate globally
The U.S. government used to control the export of encryption but gave it up in the 1990s, paving the way for the use of encryption on the World Wide Web — for instance, secure web services like credit card payments use encryption — and in communications applications such as WhatsApp and Signal. This meant that governments that had once worried about how to acquire strong encryption now started to worry instead about how individuals — whether activists, criminals or ordinary citizens — could now hide their communications from the government. Many governments now think that the key issue with encryption issue is that it complicates law enforcement and anti-terrorism agencies’ efforts to do their jobs.
However, countries respond to these challenges quite differently. Some — like China — focus on banning certain encryption technologies, while others are prioritizing “lawful hacking” that can enable government access to encrypted data and devices. Germany has established a new bureaucracy for lawful hacking, with the goal of hiring 400 staffers by 2022. The “Five Eyes” alliance of countries that cooperate closely on intelligence matters — Australia, Canada, New Zealand, the U.K. and the U.S. — are coordinating their encryption policies and demanding that industry cooperate. In Brazil, the government has already briefly arrested an executive of Facebook’s WhatsApp to force compliance.
Huawei is better positioned to spy on us than we think
This is leading to continued tension between governments and tech companies. Some U.S.-based companies made compromises with governments that allow them to continue operating in profitable foreign markets. Government pressure led Blackberry to agree to locate its servers in India and to share its communication data in plain text with the Indian government.
In 2018, Apple announced that it would store Chinese users’ iCloud data and encryption keys locally with a China-based cloud service provider. This followed an earlier offer of phone models supporting Beijing’s preferred WAPI standard. Such concessions allowed companies to avoid their products being banned by governments — as happened in 2017, when China blocked WhatsApp. Countries like India and China that have big domestic markets are better able to get concessions from foreign tech companies. Smaller countries like Brazil face an uphill battle and have taken more aggressive steps. For example, a Brazilian judge ordered the arrest of a senior Facebook executive after WhatsApp (owned by Facebook) refused to cooperate with a criminal investigation.
Governments have varying goals
Different governments have different objectives on encryption. Most would list counterterrorism and law enforcement, but those goals often camouflage other motives. Some wish to strengthen domestic tech sectors by disadvantaging foreign competitors; others have concerns about foreign intelligence and the relationships foreign companies have with their own governments. Some liberal democracies have exhibited greater willingness to regulate the tech sector, particularly U.S. firms, as skepticism of global tech companies has grown globally.
Countries vary in how they make tradeoffs between national security and allowing their citizens access to encryption, which protects privacy. Germany is on one end of the spectrum, with a declared government policy to become “the world’s leading country” in adopting encryption. China is at the other, having banned communications services using end-to-end encryption. Brazil is moving closer to Germany. Australia and the United Kingdom recently moved in the opposite direction, thanks in part to the U.K. intelligence service’s newlaw principles for Exceptional Access that seek to create guidelines for getting access to encrypted data.
India may be the most interesting case. One of the Encryption Working Group’s briefs describes how the debate has “undergone a tectonic shift in the past few years.” The Indian government has developed new data protection legislation and called on WhatsApp to trace its messages so that it can track and curb disinformation. With India expected to surpass China as the world’s most populous country and biggest market in less than a decade, companies and governments alike will watch New Delhi’s path closely. What develops in India may have major consequences for the geopolitics of data in the future.
Don’t miss anything! Sign up to get TMC’s smart analysis in your inbox, three days a week.
Tim Maurer (@maurertim) is co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, and author of Cyber Mercenaries: The State, Hackers, and Power (Cambridge University Press, 2018).
Garrett Hinck is a research assistant with the Cyber Policy Initiative and the Nuclear Policy Program at the Carnegie Endowment for International Peace.