Exceptional access and the future of internet security

28 Nov 2019 12:00h - 13:00h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

Over the next five years, the Internet Society intends to focus on two general areas: building a bigger Internet and promoting a stronger Internet. On the subject of a stronger Internet, promoting encryption is one of their flagship projects.

Encryption is a technical methodology for securing communications and data at rest, as well as verifying the identity of the parties communicating, all of which is essential for ensuring confidentiality. ‘Would you want someone to look at your diary?’ asked Mr Frédéric Donck (European Regional Bureau Director, Internet Society), asserting that encryption is a means for preventing that type of invasion of privacy.

Mr Olaf Kolkman (Chief Internet Technology Officer, Internet Society) described all of the personal and sensitive information that we have online, including social security numbers, phone numbers, addresses, and much more. Kolkman asked, ‘What happens if this information is stolen?’ In highlighting the important role of encryption in protecting this data, it was mentioned that the Internet has a global infrastructure that should be viewed as a ‘zero trust’ system. This means that you don’t need to trust the parts of the system in the middle if you trust the endpoints and the content is encrypted.

Kolkman also explained that exceptional access is the wish of government entities for access to encrypted communication. While it was acknowledged that requests for access to encrypted data may be legitimate, we have not found a way to provide this type of access in a zero trust architecture.

A representative from eco, an association of the German Internet industry, highlighted that encryption is essential to industry both in terms of data being transferred and being stored. The speaker highlighted that much of the discussion is about how to get access to data before or after it is encrypted. When talking about access to data on devices, the recurring question of whether companies can be compelled to weaken encryption was examined.

Secure encryption is based in large part on the handling of encryption keys, and it is best for those keys to be handled locally. The technical complexity can make this difficult for average users to handle on their own and they place their trust in companies. The tech industry is looking at the best way to handle this in the context of exceptional access.

Mr Peter Koch (Policy Advisor, DENIC) highlighted that the German language does not have different words for safety and security, so the dichotomy is framed as ‘more security by less cryptography.’ He explained that when we talk about ‘breaking’ encryption, it is often a misnomer, because it is not about breaking the scheme so much as getting alternative access.

Some key themes emerged from discussions. Discussions highlighted that the technical realities of the desire for alternative doors and exceptional access make it impossible to provide a special door for law enforcement without creating a point of abuse which could be used both by law enforcement and malicious actors. This issue becomes further complicated considering the wide variety of governments that would in theory have exceptional access. In many places, there is a deep distrust of government, in some cases, justified.

Humanising encryption was another prominent theme, with many participants highlighting the important role of encryption in human rights. This was especially true in the context of women, youth, and marginalised communities. Ultimately, it was concluded that we need all stakeholders to be involved in this discussion and advocate for the right approach to the tension between law enforcement and encryption.

By Dustin Loup