Don't Disarm Individuals in the Battle for Data Protection, Privacy and Security
End-to-end encryption provides a foundational data protection safeguard, allowing secure data transfer between the sender and recipient while blocking it from external compromise. It also means this data can be inaccessible to law enforcement, who then must find alternative means to access that data.
Across the globe, repressive governments frustrated with data inaccessibility have banned or attempted to block end-to-end encryption under national security rationales, with a net negative effect on internet freedoms and individual rights. The United States has recently renewed the encryption battle, with a recent National Security Council meeting that discussed banning end-to-end encryption. Instead of seeking to emulate these regimes, the United States and allies should reinforce a commitment to data protection and privacy based on the security benefits of end-to-end encryption.
Last year represented a significant inflection point when it came to raising awareness and public conscience about the extent to which third-party entities have access to personal and corporate data. The Cambridge Analytica scandal highlighted nebulous corporate data sharing practices, while the persistent drumbeat of years of mega-breaches such as Marriott, Quest and Equifax demonstrated the broad range of personal data left unprotected and exposed for compromise. Even accidental data breaches continue relentlessly and are compounded by failures to encrypt the exposed data. Together, these trends sparked a broader privacy awakening in favor of greater data protection against unauthorized data access.
This growing movement also instigated recent data protection efforts such as the General Data Protection Regulation, which references encryption as one of the recommended security safeguards organizations should deploy to demonstrate reasonable security is in place. In the United States, California’s Consumer Privacy Act (CCPA), which comes into effect in January 2020, is the most far-reaching data protection law to date. However, it is not alone. New York is considering even farther-reaching data protection requirements, while states from Maine to Texas are exploring or have passed data protection laws aimed at safeguarding data privacy and security.
Seeing the public momentum shifting, big tech companies have attempted to ‘out privacy’ each other as a business competitive advantage. In early 2018, most tech leaders publicly vocalized support for self-regulation, but by year’s end the narratives shifted in favor of manifestos and promises to prioritize privacy. For instance, Facebook CEO Mark Zuckerberg outlined his vision for privacy, including end-to-end encryption in all of their messaging applications.
This growing emphasis and demand for data protection has resulted in growing individual and corporate implementation of encryption. While end-to-end encryption provides an essential legitimate means to protect personal and corporate data, criminal and terrorist groups also can protect their own communications, hindering some law enforcement efforts. This tension is reflected in the 2016 Apple vs FBI dispute and appears to be reigniting, rationalized by concerns over ‘going dark’ and lacking access to data that may help convict criminals or terrorists.
The Global Attack on End-to-End Encryption
End-to-end encryption is one of the few security measures that is growing more affordable and usable for non-tech aficionados. It provides digital and physical security safeguards for a free and open society and economy and has been used by human rights advocates, journalists, domestic violence survivors and to secure intellectual property. Because of this, a recent United Nations report declared, “A state’s obligations to respect and ensure the rights to freedom of opinion and expression and to privacy include the responsibility to protect encryption.” The G20 has similarly prioritized data protection for global economic innovation and growth, demonstrating the economic benefits as well.
At the same time, there has been a growing global effort to weaken encryption, most vocally advocated by authoritarian regimes such as China, Russia, and Iran, under the auspices of national security. Unfortunately, this digital strategy has spread. Turkey recently linked anyone using a localized messaging app that contained encryption, called ByLock, to coup involvement. Malawi requires government approval of encryption keys. India is exploring a law to require a backdoor, targeted at WhatsApp. German leaders have requested similar access to encrypted content, while Brazil continues to go back and forth on banning WhatsApp and its end-to-end encrypted services. The United States, Australia, Canada, New Zealand, and the United Kingdom issued a joint statement introducing their intent to seek lawful access to encrypted content. Australia made good on this promise a few months later, passing a contentious law requiring access to encrypted content. Based on the recent discussion at the National Security Council, the United States may soon follow suit.
An Inflection Point for Security and Privacy
In short, the policies of authoritarian regimes are increasingly emulated across the globe, with significant implications for the future of the internet as well as fundamental rights and liberties. The absence of U.S. leadership in favor of end-to-end encryption will have global ramifications. First, it gives the green light to every despot and corrupt leader to similarly ban end-to-end encryption for their own regime objectives, including domestic crackdowns and targeting. Without a global leader advocating for end-to-encryption, digital freedoms will continue to erode and only worsen over time as leaders become emboldened to seek ever growing means of information control and dominance.
Second, a U.S. law weakening end-to-end encryption won’t achieve the desired objective of greater national security. Last year it was proven that the FBI significantly overstated the number of cases impacted by their inability to access data. This means the actual national security gains are quite small, while simultaneously introducing greater vulnerabilities into a threat environment already struggling with a growing proliferation of attackers and tools. Backdoors are not just accessible to law enforcement, but also provide additional means for malicious actors to compromise data. If the current steady pace of breaches seems unsustainable for national and economic security, it will only be amplified without security safeguards such as end-to-end encryption.
The Digital Battle Ahead
Just as the demand for greater security and privacy gains momentum, governments across the globe are chipping away at a core safeguard for security and privacy. End-to-end encryption empowers data owners to defend against a range of data compromises. To be clear, it is not a panacea– but it is a highly recommended means to secure data and is fundamental to a modern open society based on individual rights to privacy and security.
The growing push for global data standards is intricately connected with geopolitics, human rights, and civil liberties. Global democratic leadership is essential to counter the digital authoritarianism that seeks complete information control by governments at the expense of individual fundamental freedoms.
If the United States bans end-to-end encryption, thus emulating the most repressive regimes across the globe, it will embolden additional countries to not only ban end-to-end encryption but take further steps to undermine digital privacy and security. Conversely, a coherent U.S. federal data privacy law that reinforces the essential role of end-to-end encryption could introduce an alternate model and a counterweight to the growing privacy infringements. But to achieve this, any notion of banning end-to-end encryption must be halted and replaced with serious discussion and implementation of federal policies that strengthen both security and privacy.