For the past few years, there has been a debate regarding the regulation of web encryption among the governments of several countries around the globe. On November 6, the Council of the European Union published a draft resolution on the topic, while back in October, the US joined Canada, India, Japan, the UK, Australia, and New Zealand in urging the industry to allow governments to have “backdoor encryption access”.
So, what exactly does all this mean?
For the latter countries, they basically want to enable law enforcement agencies with search warrants to access encrypted data. This includes encrypted data in transit, as well as stored encrypted data and custom encrypted applications and platforms. Even though encryption protects Internet users and their data from hackers and other malicious actors, the US government believes that its existence also makes it more difficult to catch criminals. A press release from the US Department of Justice claims that it wants to “challenge the assertion that public safety cannot be protected without compromising privacy or cyber security”.
However, most of the tech industry disagrees. A secure encryption backdoor would basically be impossible to implement. Once such a backdoor is opened, it’s almost guaranteed that it would be exploited by cybercriminals and cause mass hacking and technical disruption. Beyond that, allowing such access to governments and law enforcement is a slippery slope when you take into account how international the tech industry is. Even if you do trust your country’s government, it’s likely that before long a request will come in from less democratic governments, which is likely to put tech companies in a very difficult position. An article from Just Security points out that tech firms would likely find themselves having to choose between being complicit in human rights abuses or losing access to entire markets. Basically, the existence of encryption backdoors would be messy, with all semblance of privacy and security destroyed in the process. Which kind of defeats the purpose of encryption, don’t you think?
The EU’s call to regulate encryption, on the other hand, is a little less extreme, and a bit more vague in its intentions (with one commissioner essentially referring to it as an empty political gesture). They don’t want to ban end-to-end encryption, simply spark a discussion. The draft resolution basically points out the importance of discussing how criminal justice authorities can work in tandem with strong encryption across the web, while also taking into account every EU citizen’s right to data protection and privacy. It concludes by saying, “there should be no single prescribed technical solution to provide access to encrypted data”.
The debate poses the question, can encryption with “backdoor access” even still be called encryption? It could be argued that calling encryption — the protection of people’s data when they use the web or digital devices — unsafe is akin to calling locking the front door of your house to protect yourself from intruders as unsafe. While this may protect a small number of criminals, the majority of people encrypting their data or locking their doors are just ordinary citizens who want to keep their private information private.
While it doesn’t seem like these debates will result in the destruction of end-to-end encryption as we know it any time soon, it is worrying when government officials don’t understand how encryption actually works or its significance in modern day-to-day life where web usage is becoming increasingly ubiquitous. We can only hope it remains a discussion and doesn’t become a reality.