Encryption has never been as mainstream as it is right now. You don't need to be a tech geek to use an encrypted app anymore – think about how many of us use one of the best VPN or secure messaging apps every day – or understand the necessity of scrambling your data scrambled into an unreadable form to prevent unwanted access.
Even as we acknowledge this, however, encryption is under attack everywhere as governments worldwide increasingly see this technology as an obstacle – especially to fighting crime. Yet, according to experts, lawmakers often underestimate the importance of encryption in preserving people's online safety and anonymity.
Since 2020, October 21 has marked Global Encryption Day: an annual day of action to promote, protect, and defend strong encryption. I attended the Encryption Summit, a virtual event held by the Global Encryption Coalition to "celebrate how encryption makes us powerful, investigate the regulatory challenges facing encryption, and unite our community." Below are my five biggest takeaways, one for each panel.
1. From censorship to VPN blocks, shared legal challenges in South Asia
The event kicked off with a panel discussion of the legal battles taking place across South Asia regarding the blockage of encrypted apps, the requirement of encryption backdoors, and the tightening of restrictions on virtual private network apps. Speakers included lawyers, digital rights experts, and journalists from India, Sri Lanka, Bangladesh, Pakistan, and Nepal.
The region is infamous for tight control over the internet, with internet policy proposals aiming to gain more control over social media and the use of encrypted apps. Examples include a new Sri Lanka Online Safety Bill threatening free speech and privacy abuses and Pakistan's national firewall slowly breaking the internet alongside a plan to ban VPNs (the software you need to bypass online restrictions).
On this #GlobalEncryptionDay, let’s push for encryption that guarantees both privacy AND open access for all users worldwide. No censorship, just freedom. #encryption #privacy pic.twitter.com/SKXh8OvkyqOctober 22, 2024
What stood out to me the most was hearing how the same legal attempts to undermine encryption and internet freedoms are shaping the whole region.
Encryption and digital rights experts are doing an amazing job of shedding light on the implications of law proposals, but the Supreme Court will ultimately determine the balance between safety and privacy online.
2. Social media and messaging apps aren't the same
The second panel tried to find an answer to what an encryption-friendly platform regulation should look like by examining three cases from around the world – so distant from each other, yet with so much in common.
The UK Online Safety Bill (becoming law in September 2023) was a pivotal moment in the conflict between authorities and encryption. A process six years in the making, attempting to make the UK "the safest place to be online," it has gathered criticism from all fronts along the way.
The main controversy was the required client-side scanning of private and encrypted messages for harmful and illegal content – halted in a last-minute decision until it's "technically feasible" to do so.
EU lawmakers are trying to push for a similar law – deemed as Chat Control by critics – to scan all your encrypted messages on the lookout for online child sexual abuse material (CSAM). The legislation proposal, however, continues to face strong resistance in the block.
As Mark Johnson, Advocacy Manager at Big Brother Watch pointed out during the Summit, the Online Safety Act is a "bad example of regulation" as its language still makes it vulnerable to political influence.
The same legal challenges are repeating in Nigeria and Brazil as lawmakers evaluate drafts for the Online Harms Protection Bill and Bill PL/2630, respectively.
I found what Heloisa Massaro, Director at Brazilian think tank InternetLab, said at the end of the discussion especially interesting. She discussed the need to go deep into the distinction between social media and encrypted private messaging apps in order to craft better regulations when it comes to encryption.
"Otherwise, we will have regulations that aim to attack the social media features of the messaging apps, undermining privacy and freedom of speech," she added.
3. Tech policies should address the issues of tomorrow
The third panel looked at the behind-scenes work of Mozilla and other encryption experts to enact changes to the proposed eIDAS legislation in Europe.
The so-called eIDAS 2.0 (a revision of the previous EU's digital identity law) has two functions: launching an identification app (EU ID Wallet) for all Europeans while changing how web browsers deal with security and website authentication (Article 45).
Experts are especially worried about the latter point, warning of unintended consequences like greater surveillance, censorship, and false security.
Technologists and civil societies have been working hard to prevent the EU's quest to fix the internet – as lawmakers put it – from becoming "a privacy and security nightmare." While dismissing concerns, the EU finally agreed to add a "cybersecurity exemption" to allow browser providers to quickly deal with security and privacy flaws within their products.
This is a stark reminder that "you need to create internet policy and tech policy around the issues of tomorrow rather than the issues of just today," said Alexis Hancock, Director of Engineering at the Electronic Frontier Foundation. "You don't know who's going to be in power tomorrow, so you need to develop tech policy able to create safeguards to protect people tomorrow. Article 45 would have endangered that safeguard of trust."
According to Hancock, the challenge now is implementing the cybersecurity exemption across all different EU members.
4. Encryption prevent crimes
Perhaps the most interesting panel, the fourth discussion delved deeper into the conflict between law enforcement and experts when it comes to encryption: children's online safety.
On one side, authorities push for weakening encryption as they see it as an obstacle to catching sex predators and monitoring online threats effectively. Privacy experts couldn't disagree more – encrypted communications and tools like VPNs are a necessity to shield children's identities and keep them safe as they browse the web.
A big theme within the discussion was the need to educate both parents and children about the importance of this technology. One of the speakers, for instance, was Jessica Dickinson Goodman, who wrote the book "Encryption for Babies" to explain these techy concepts in plain language.
On-field research carried out by Dr Sabine K Witting, co-founder of startup consulting company Tech Legality and Assistant Professor at Leiden University, also found that children's wants and needs around digital technologies often differ from what adults (especially lawmakers) believe to be important.
This is why, according to Larry Magid, US tech journalist and co-founder and CEO of ConnectSafely, law enforcement needs to find a solution to protect kids that doesn't involve breaking encryption.
He said: "The lack of encryption might make it easier to prosecute crimes, but encryption helps prevent crimes. And given the choice between prosecuting prevention, I would take prevention every time."
5. Stakes are higher for encrypted tools' users than their providers
The last panel looked at the wider implications of the Telegram CEO's arrest in August.
The preliminary charges against Pavel Durov include the alleged use of cryptographic technologies – responsible for implementing encryption protections on the messaging app – without proper declaration as well as providing those cryptographic services to criminals.
12 charges against Telegram CEO Pavel Durov include "providing cryptology services aiming to ensure confidentiality without certified declaration" and six counts of "complicity" with alleged criminal activity by Telegram usersFR & EN https://t.co/sDvjUiZJvT pic.twitter.com/j8sCP1uPepAugust 26, 2024
Noémie Levain, Legal and Political Analyst at La Quadrature Du Net, explained that these are based on an old law that "nobody cared about because it doesn't really fit on how encryption practically works." Yet, in this instance, she believes the French government is trying to use it as a political weapon against its enemies.
It's too early to predict how the Durov case will unfold as the Court could still drop the charges related to encryption. For Levain, though, something else is very clear – the stakes are higher for people using encrypted tools rather than the people making them. She said: "I would be more worried about the general context of criminalizing everyone using these tools."