Crypto wars 3.0 – can privacy, security, and encryption co-exist?
This workshop revisited the debate on the relationships between encryption, privacy, online harms, and the needs of law enforcement agencies.
Should privacy take primacy over all other considerations?
Encryption is needed to protect privacy and help people survive in repressive regimes. Privacy, however, should not take primacy over all other concerns, namely over fighting crime, said Mr Jan Ellermann (Senior Data Protection Specialist, Europol). Acknowledging that a balance between security and encryption is hard to achieve due to certain compromises in freedom which are required for attaining more security, Ellermann nevertheless highlighted the need for a legal framework which would enable tackling all forms of organized crime while, at the same time, respecting fundamental rights. He suggested that law enforcement should have a very clear mandate to break encryption in individual and justified cases. Such a mandate should overcome, on a case-by-case basis, the barriers imposed by the right against self-incrimination when it comes to providing passwords to law enforcement agencies.
Mr Stephen Farrell (Trinity College Dublin) also noted there should be a shift of focus away from the discussions on generic regulations allowing law enforcement agencies to break encryption in all cases. Rather, there should be an open discussion on the specific requirements of law enforcement agencies on when and how to break encryption.
Mr Dan Sexton (CTO, The Internet Watch Foundation) agreed that the shift should focus on acting on the specific content, such as, for example, where it is necessary to prevent the dissemination of encrypted child abuse material.
Will methods that allow law enforcement agencies to break or circumvent encryption always weaken that encryption and ultimately help bad actors?
Allowing law enforcement agencies to break encryption will not prevent criminals from encrypting their communication in an unbreakable way, but it might weaken the online communication infrastructure of the society, create new tech scenarios for criminals and cyber war and, incidentally, also create the conditions for broad population surveillance, said Mr Ulrich Kelber (German Federal Commissioner for Data Protection and Freedom of Information). The trust in encrypted communication is necessary in a democratic society, but it will be undermined by simple access of authorities to encrypted messages. ‘Solution thus cannot be worse than the problem,’ Kelber said.
Encryption, privacy, and security: a false dichotomy
The relationship between encryption, privacy, and security should not be described by false framings and false dichotomies, said Ms Iverna McGowan (Director Europe Office, Centre for Democracy and Technology). The coexistence of these three notions is a must, added Mr Robin Wilton (Director Internet Trust, Internet Society), noting that these notions, however, need to be defined, perceived, and used with better care and consistency.