Let’s talk about encryption
The awkward relationship between privacy and law enforcement.
George Orwell’s ‘1984’ foreshadowed a terrifying dystopian reality, in which each individual is subjected to the far-stretching surveillance techniques of the state. The Edward Snowden revelations in 2013 showed that Orwell’s reality was perhaps closer than ever, pointing at large-scale data-collection which even went as far as constantly monitoring regular Americans’ phone calls. US internet companies were consequently placed in an awkward position, after it was revealed they too contributed to the NSA’s (National Security Agency; US intelligence agency) large-scale data-collection.
The NSA and its allies justified their actions by pointing toward the ‘war on terror’ and the idea that ‘if you have nothing to hide, you have nothing to fear’. In Europe, the encryption debate arose in 2016 after a series of terrorist attacks after which encryption was identified as a key barrier for combating terrorism by Europol and national law enforcement authorities. In the wake of these events, EU member states pointed out the need for increased cooperation by electronic communication service providers with law enforcement agencies. Today, the question remains: to which extent should encryption and the associated values of privacy and technological development be safeguarded at the expense of more efficient prosecution of criminals?
‘Encryption’. Encryption is the act of turning communications into a secret code, so that only those who are authorized can read it. The most well-known historical example of encryption is the Enigma machine used by Nazi Germany during World War II. Nowadays, communication platforms like Whatsapp use end-to-end encryption to make sure only you and the recipient of your message can read the contents.
The myth of the ‘zero-sum game’
The central question above points to the polarization of the encryption or ‘going dark’ debate. On the one hand, there is the belief of technology companies that user privacy is always compromised when lawful access is granted. On the other hand, law enforcement authorities generally believe that unrestricted access to digital communications is necessary in the battle against terrorism and other criminal activities. However, a middle-ground approach is more desirable. Like the US Department of Justice argued: “we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security”.
Undesirable attempts to compromise encryption
Europol identified encryption as “a critical impediment and serious threat to the detection, investigation, and prosecution of criminals” in 2016. Building on this notion, law enforcement has attempted to push encryption toward more unrestricted access in two major ways. Firstly, limiting the use of cryptography has been proposed in order to make prosecution and accountability more efficient. While such legislation might reap benefits for ensuring public safety in the short term, technological development will suffer in the long run as encryption and therefore privacy protections would fall behind. Secondly, the proposition to force technology companies to install backdoors* in their devices poses serious concerns.
‘Backdoor’. A way of gaining access to an entire system or device by circumventing its security mechanisms.
Such backdoors would harm both the privacy and security of the users. When the FBI spurred Apple to alter the code in order to install a backdoor in the San Bernardino case, Apple noted that such a tool would be “the equivalent of a master key capable of opening hundreds of millions of locks” instead of being limited to one device. Such backdoors pose serious privacy concerns. The Human Rights Council has similarly noted the importance of encryption and anonymity for freedom of expression “without arbitrary and unlawful interference or attacks”. Additionally, the security of users would be compromised by an increased sensitivity to manipulation of devices not only by national hackers, but also by foreign malicious actors. This is also the case when the use of cryptography is limited.
Finally, criminals are consequently discouraged from using the devices with an inbuilt backdoor or devices slacking on encryption and will turn to alternatives. This defeats the purpose of the proposed legislation, which is ultimately designed as a method in the prosecution of those criminals.
The EU’s encryption policy
The most recent development in the encryption debate relates to the “proposal for a regulation of the European Parliament and of the Council laying down rules to prevent and combat sexual abuse”. This regulation, proposed in May of 2022, would entail the collaboration of digital platforms in detecting and reporting child sexual abuse material (CSAM), instead of voluntary detection and reporting as is the case now. With this recent proposal, the encryption debate has moved into an even more sensitive area, further polarizing the security vs. privacy standpoints.
The circulation of CSAM is a serious issue and it requires proper regulatory responses. However, privacy activists have voiced their concerns as such a regulation would mean digital platforms need to access private user data in order to detect and report CSAM. While it is theorized that the privacy and security of encryption is sustained, while at the same time criminals are tracked down, this has been critiqued since ‘technical shortcuts’ would still entail weakening of encryption for all users. This weakening of encryption goes hand in hand with the concerns outlined above, such as defeating the purpose of such regulations when criminals turn away from weakly encrypted platforms. Furthermore, the surveillance mechanisms needed to monitor criminal behavior on digital platforms can arguably similarly be exploited by tech-savvy, unauthorized actors for malicious purposes.
Working with encryption in the EU
So what could be a potential solution in this debate, when previous propositions appear to be unsuccessful in ensuring both privacy and security? While a multi-faceted approach is necessary, ‘lawful hacking’ provides at least a progression from previous proposals. Lawful hacking is in line with the principles of legality, necessity and proportionality, with which law enforcement must comply when interfering with communicators’ privacy. This concept is built on the notion that, after having been provided with a warrant, existing weaknesses in a specific case and a specific device can be utilized. This more selective access to user data would ensure privacy is not further compromised. Such selective access could for example be facilitated through ‘functional encryption’ by changing the manner in which data is encrypted and preventing the need for access to an entire device, as suggested by the European Commission.
Lawful hacking also allows for a more efficient targeting of resources, preventing excessive investments in overall decryption. Still, mechanisms to achieve this goal, such as functional encryption, pose legal challenges. You therefore need appropriate legal frameworks in order to facilitate functional encryption. Lawful hacking is critiqued for letting technological development of encryption ‘roam free’ and seeking the solution in the law enforcement institutions’ and third parties’ capability to develop workarounds, confronting law enforcement again with the ‘technological arms race’. However, lawful hacking combined with functional encryption could partly alleviate the struggle to decrypt an entire device when only certain elements need to be decrypted.
Striking a balance
Above all, the selectivity forced by lawful hacking allows for the privacy of users to deteriorate in a less drastic manner by sticking to a case-by-case adoption of decryption. The technical limitations and opportunities of such mechanisms remain to be further explored. It is important to keep in mind that smartphones arguably expose considerably more information than a house search, since their capacity to surveil individuals is immense. Law enforcement must work with encryption and the pace of its technological development, facilitated by proper lawful hacking, so that user privacy is in a more stable position while security can still be pursued. In line with the position of the Human Rights Council, encryption is integral to privacy. When dealing with such sensitive matters, neither technology companies nor law enforcement should decide what, when, how and where to decrypt. Rather, through proper regulations, legislation and the involvement of an independent judiciary, lawful hacking in a case-by-case approach allows for optimal user privacy, adequate prosecution and public safety.
Ayla Elzinga obtained a Bachelor in Media and Journalism and pre-master in International Relations from the University of Groningen, and is currently pursuing a Master in Crisis and Security Management at the University of Leiden.
Featured image: Shutterstock