Encryption refers to the scrambling of electronic documents and communication into an unreadable format which can be read only through the use of encryption software. Traditionally, governments were the only players who had the power and the know-how to develop and deploy powerful encryption in their military and diplomatic communications. With user-friendly packages, encryption has become affordable for any Internet users, including criminals and terrorists. This triggered many governance issues related to finding the right balance between the need to respect privacy of communication of Internet users and the need for governments to monitor some types of communication of relevance for the national security (potential criminal and terrorist activity remains an issue).
International regimes for encryption tools
The international aspects of encryption policy are relevant to the discussion of Internet governance inasmuch as its regulation should be global, or at least, involve those countries capable of producing encryption tools. For example, the US policy of export control of encryption software was not very successful because it could not control international distribution. US software companies initiated a strong lobbying campaign arguing that export controls do not increase national security, but rather undermine US business interests.
Encryption has been tackled in two contexts: the Wassenaar Arrangement and the OECD. The Wassenaar Arrangement is an international regime adopted by 42 countries to restrict the export of conventional weapons and ‘dual use’ technologies to countries at war or considered to be ‘pariah states’. The arrangement established a secretariat in Vienna. US lobbying, with the Wassenaar Group, aimed at extending the Clipper Approach internationally, by controlling encryption software through a key escrow. This was resisted by many countries, especially Japan and the Scandinavian countries.
- Countries participating in the Wassenaar Arrangement
A compromise was reached in 1998 through the introduction of cryptography guidelines, which included dual-use control list hardware and software cryptography products above 56 bits. This extension included Internet tools, such as Web browsers and e-mail. It is interesting to note that this arrangement does not cover ‘intangible’ transfers, such as downloading. The failure to introduce an international version of Clipper contributed to the withdrawal of this proposal internally in the USA itself. In this example of the link between national and international arenas, international developments had a decisive impact on national ones.
The OECD is another forum for international cooperation. Although the OECD does not produce legally binding documents, its guidelines on various issues are highly respected. They are the result of an expert approach and a consensus-based decision-making process. Most of its guidelines are eventually incorporated into national laws. The question of encryption was a highly controversial topic in OECD activities. It was initiated in 1996 with a US proposal for the adoption of a key escrow as an international standard. Similar to Wassenaar, negotiations on the US proposal to adopt a key escrow with international standards were strongly opposed by Japan and the Scandinavian countries. The result was a compromise specification of the main policy elements.
A few attempts to develop an international regime, mainly within the context of the Wassenaar Arrangement, did not result in the development of an effective international regime. It is still possible to obtain powerful software on the Internet.
Encryption and human rights
In recent years, the Snowden revelations that disclosed the use of surveillance programs by the United States National Security Agency (NSA), subsequent revelations of surveillance carried out in various other countries, and a rise in cybercrime and terrorism, have placed encryption and human rights into sharper focus. The debate on an international regulatory framework for encryption has also shifted in the same direction.
The issues are various and complex. From a security standpoint, governments have reiterated the need to access encrypted data with the aim of preventing crime and ensuring public safety. Revelations have revealed backdoors into encrypted software and products, putting pressure on Internet and tech companies to allow governments access to data. From a human rights standpoint, the right to privacy and other human rights should be protected, and encryption tools – including pervasive encryption – are essential to protect privacy. The need for greater protection for encryption and anonymity was in fact highlighted in the UN Special Rapporteur’s report (2015) to the Human Rights Council.
More recently, these arguments were vividly discussed and illustrated during the 10th IGF in Brazil in 2015, and the 11th IGF in Mexico in 2016. Various approaches were identified, including encryption by default, prohibition of backdoors (also due to the fact that backdoors could make encrypted files vulnerable to criminals), stronger data retention rules, and importantly, an international framework. The view that encryption (and anonymity) is inherently linked to security and economic prospects was also discussed in depth.