PDEC Opposes Government “Backdoor” Access to Encrypted Data
The Personal Data Ecosystem that PDEC promotes gives people the rights and capabilities to control, access, manage and secure value from data about them and their lives regardless of how such data is derived.
PDEC members include businesses that provide citizens with means to control how other people and organizations may further access or use this information. As such we are committed to the notion that the users (we call them principals[1]) are fundamentally in control of their information. Therefore in some cases PDEC businesses employ mechanisms like encryption to ensure that control, and also to assure their users that even those businesses cannot access or disseminate their personal data without their consent.
Of late a number of world leaders including British Prime Minister David Cameron[2], U.S. President Barak Obama[3], U.S. FBI Director James Comey[4] and the new U.S Attorney General, Lorretta Lynch[5] have made public statements regarding their concern on the growing use of strong end-to-end encryption techniques on the internet. They argue that strong encryption hampers government efforts to fight crime and terrorism through programs of broad electronic surveillance of communication via social media, smart phones, instant messaging, e-mail and file sharing.
To address this issue some have suggested outright bans of such encryption while others have proposed the introduction of means for government to obtain extraordinary privileged access to encrypted communication and data using escrowed or “back-door” keys.
PDEC strongly believes that proposals that attempt to curtail, regulate or compromise strong encryption are unwise for several reasons including:
- they abridge the rights that individual citizens have to privacy, reversing generations of improvement in human rights
- the damage that such controls could do the emerging digital economy including the personal data ecosystem and the underlying mechanisms and business models for distribution and control of access
- and the fact that such methods are in reality impractical at world-wide internet scale, would likely be ineffective at achieving the goals that governments are arguing for, and significantly increase the risk of harm to law abiding individuals and organizations
While it is possible that end-to-end encryption may be employed by criminals or terrorist groups to secure their electronic interaction it is also demonstrably true that strong end-to-end encryption provides the most, and ultimately perhaps the only, viable tool for legitimate businesses and individual citizens to protect their identities and privacy.
Technical experts agree that any attempt to curtail the use of strong end-user encryption or requirements for third party privileged access or key escrow would necessarily dramatically impact any organizations or individuals attempt to interact online in secure manners.[6] Also, requirements for privileged access to user information by one or more government organizations worldwide could create new legal liability risks for organizations that would be difficult to assess accurately and that would be challenging to indemnify. Further such requirements could seriously erode end-user confidence and might actually impede the development of the personal data ecosystem.
Lastly, and perhaps most importantly, it is absolutely clear that efforts to eliminate strong end-to-end encryption cannot be successful. While governments might try to prevent providers of internet software, hardware or services from delivering strong encryption to their customers or otherwise disable the technology by requiring availability of “back door keys” to allow them to decrypt all electronic communication it is clear that compliance with such regulations would never extend to unlawful actors such as criminals or terrorist organizations.
Even if all legitimate internet providers of communication or data storage agreed to permit government access to decrypted information under appropriate legal controls, unlawful actors could easily implement or acquire their own mechanisms for encrypting their data prior to delivering it to compliant lawful services. Even detecting such “second level” encryption would require very broad access to all the data flowing through a wide-variety channels and would contradict the governments stated assertions that their interest in access is narrowly targeted.
Finally the international scope of internet traffic that spans political jurisdictions makes implementation of such controls at internet scale so complex and fraught with diplomatic issues that is difficult to imagine success.
The desire of governments to more easily protect their citizenry is understandable and in principle PDEC supports efforts to do so that do not infringe on the sovereign rights of individuals. However, PDEC believes government actions to exercise such controls should not be done at the expense of legitimate online interaction of businesses or citizens or in a manner that would abrogate the covenants of privacy made by businesses to their clients, customers or users.
[1] PDEC prefers use of the term Principals. Other terms in common usage such as users, end-users, individuals, or subjects do not fully reflect the primacy and sovereign rights of individuals as the principal participant with rights to control data about them that PDEC recognizes as fundamental and basic.
[2] Links:
http://www.bbc.com/news/technology-30794953
http://www.theverge.com/2015/1/12/7533065/whatsapp-imessage-ban-uk-government-encryption
[3] Links:
http://blogs.wsj.com/digits/2015/01/16/obama-sides-with-cameron-in-encryption-fight
[4] Links:
[5] Links:
[6] Links:
http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8
https://static.newamerica.org/attachments/3138–113/Encryption_Letter_to_Obama_final_051915.pdf
Krowdthink fully supports the PDEC statement and confirms that our ability to provide a trust model for digital social engagement will be undermined by the CISA bill being put forward in the USA at the moment.