Networked trust: encryption choices to a reliable Internet
Internet Governance Forum (IGF) 2021
6 Dec 2021 10:00h - 10 Dec 2021 18:00h
Katowice, Poland and Online
8 Dec 2021 15:50h - 17:20h
Event reportEncryption policies are currently a hotly debated topic. Mr André Ramiro (Director, Law and Technology Research Institute of Recife (IP.rec)) opened up the discussion by saying that we consider encryption policies, broadly speaking, encryption choices; these choices can be seen as a trust model awaiting deployment in the digital ecosystem to enhance a collective sense of trust.
The panel discussion was divided into two rounds and oriented around the following questions:
1. How should government, the internet, business, and other stakeholders protect its citizens, including vulnerable citizens? How do we protect them against online abuse?
According to Mr Pablo Bello (Director of Public Policy, Whatsapp, Facebook), encryption is under threat in Europe, America, and in other parts of the world. We should ask ourselves how to defend encryption successfully. He made the point by stressing that ‘the internet community should reject the false idea of safety and privacy; encryption is critical in terms of how we’re able to build a stronger narrative to explain the risks that are behind the weakening of encryption’. Weakening encryption will put people’s lives at risk and so encryption is needed and the community needs better responses to challenges of ‘going dark’.
Mr Patrick Breyer (Member of European Parliament (EP), The European Pirates, Member of Group of Greens/European Free Alliance group) spoke about current developments in the EP. The EP is fighting for mandatory encryption and the proposed privacy regulation because everything that is not encrypted is not safe from intelligence services. Under the umbrella of the EU Digital Services Act Package, the EP will fight for the inclusion of the right for encryption, guaranteeing users and services the right to offer encryption.
Mr Jeremy Malcolm (Executive Director, Prostasia Foundation) elaborated on the question of child sexual abuse and asked if weakening of encryption is not a way to ensure online safety for children, what it is? According to Malcolm, the answer is clear, but politicians are not willing to hear it. We should see it as a criminal justice problem. If we were to see it as a public health problem, we would take action to prevent children from abuse by, first, reducing the risk factors and, second, by increasing protection.
Ms Lidia Stepinska-Utasiak (Deputy Director, Office of Electronic Communications, Poland) described a knowledge gap between policymakers and the public in encryption debates. Users should be the ones who make choices regarding their safety; similarly, users should be well informed regarding encryption methodology. The question is whether the EU can create a balance between security and privacy–and she assumes that legally it cannot. She went on to explain that ‘if legislation were to be passed, data access policies and capabilities would differ among member states. So the problems with encryption, for example, in criminal investigations, vary from one member state to another’.
Mr Vittorio Bertola (Head of Policy and Innovation, Open-Xchange) reflected on the two problems associated with encryption policies. First, we do not have a shared understanding of what safety means. In general, those people that complain that encryption undermines safety present rather a different definition of safety than those who defend encryption. Second, a disagreement has arisen over the question of who is responsible for safety. Technology providers assume that it is their duty and can achieve it by encrypting all communications, yet many EU states assume that it is not only their right, but also duty, so it falls within their responsibility. As Bertola pointed out, it may be better to address these kind of conflicts and views before addressing the fact that encryption needs certain safeguards to prevent access to data in certain cases.
2. How should international standards address the different requirements and references of governments and citizens in different countries?
According to Ms Susan Landau (Bridge Professor in Cyber Security and Policy at the Fletcher School) we have all kinds of security, national security, economic security, public safety, privacy, and encryption — end-to-end encryption provides all of these pieces, as well as making investigations difficult. Putting privacy and security into opposition is a mistake. When it comes to international safety, every nation has its own definition and they agree only on the fact that child sexual abuse material (CSAM) is horrible. On the other hand, in some countries, this material is allowed, which makes the issue even more complicated. She thinks that ‘we’re not ever going to get to the point where the USA, Iran, and France and Russia and China are going to come to agreement on end-to-end encryption’.
Ms Lidia Stepinska-Utasiak discussed two very important strategies the European Commission has launched: one for combating child sexual abuse specifically, and another for updating the Security Union Strategy more broadly. The Strategy seeks a compromise related to security and safety and promotes an approach that would maintain the effectiveness of encryption in protecting privacy and security of communications while providing an effective response to crime and terrorism.
By Kristina Hojstricova