On cybersecurity, who has got our back?: A debate

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

Ms Sheetal Kumar, Global Partners Digital, introduced the four speakers setting as she described – the structure of the session and the context for the encryption debate.

Ms Dominique Lazanski, GSMA, described the challenges faced by operators and the business community to understand how to comply with different legal requirements in the management of networks.

Lazanski spoke on the variance in legal requirements across countries and the impact on the local markets. She also highlighted the growing challenge with security concerns around the Internet of Things from a mobile perspective. Standards are in development and the GSMA developed a framework for IoT and flexibility and interoperability will be supported as networks mature.

Mr Brian Bergstein, MIT Technology Review, joined the debate considering whether technology companies should share consumer data with governments. Bergstein agreed that they should in principle, but not in all circumstances or countries and not without due process or through bulk surveillance.

In his view, governments having access to consumer data did not have to be in conflict with our right to encrypted communications. He pointed out that plenty of consumer data remains unencrypted for tech companies to provide services in the course of their business and with due process governments should have access once warranted.

Bergstein referenced a UNESCO report on human rights and encryption which states that encryption is necessary but not sufficient to protect people and sensitive information in a networked world.

A world with no limits on privacy would leave elected officials along with criminals unaccountable. He warned that if governments have no legitimate auditable way of accessing consumer data they may force their way into systems that hold the data. It is not sufficient to only ask whether something is good for privacy but also, whether it is good for democracy, civic engagements and human rights.

Ms Tatiana Tropina, Max Planck Institute, shared experiences from her legal background and challenged human rights defenders putting the debate in an ‘all or nothing’ context. By doing this, no distinction is made between different types of data encryption and blurs the borders between legitimate demand from law enforcement agencies and the Pandora’s box that can be opened with unrestricted encryption.

She believes companies should not give access to encryption techniques using the FBI vs Apple case as an example, with no backdoors or master keys being given to governments. However, with legitimate criminal investigations submitted with due process, access should be allowed for individual crimes.

Mr Pranesh Prakash, Centre for Internet and Society, stated that weaker encryption systems means that governments can exploit developments from other groups in the world. He reminded everyone to have a global perspective for the debate because some governments are killing journalists and human rights defenders.

Prakash stated that it is not security vs privacy but security vs security. In Pakistan he pointed out a new law which allows the government to hold anyone’s data on any device for up to 24 hours with the person being required to provide encryption keys, passwords etc., without a court warrant. Lastly, he posed the question:  if the data could prevent an attack on citizens and save lives, how does that stand up to the encryption debate?

Ms Salanieta Tamanikaiwaimaro, a lawyer from Fiji, echoed Prakash’s concerns on utilitarian states that are not democratic and called for everyone to look beyond the technical capabilities and into the philosophy and how ethics could be infused regardless of government.

Roger from India, a member of the audience, asked whether democratic governments are constrained with the same guidelines within their borders as outside. Mr Michael Nelson, of Cloudflare, shared the challenges faced when he worked in the US Clinton administration with encryption. The biggest challenge was if governments were going to be allowed a backdoor – how to determine which governments should be included?

Another member of the audience, Andrew from Australia, lamented the challenges faced by the technical community in developing appropriate technologies and painted a scenario of the work involved in rebuilding trust if his personal device security was compromised by law enforcement and clients’ data was affected.

A member of the Delhi academic community asked how safeguards and checks and balances can be put in place where governments access consumer data. Tropina advocated for wide consultation for any legislative process that allows access to data or requires retention.

Bergstein cautioned against citizens taking civil liberties from companies. Mr Stewart Brown, from the UK government, put forward a recent investigative powers bill as an example and hailed the public scrutiny involved in the process.

by Andre Edwards, Trinidad and Tobago