Encryption and Crime: The Case for a Transatlantic Encryption Alliance

June 21, 2021

The arrests of more than 800 alleged criminals around the world who had been using an encrypted app covertly run by the FBI and Australian law enforcement may seem an argument to give detectives greater access to private data

In fact, Operation Trojan Shield was a creative approach to fighting crime that harnessed trust in encryption as an advantage and not an obstacle. The Five Eyes group, the intelligence collective of the Anglosphere, including Australia, Canada, New Zealand, the United Kingdom and the United States, wants to go much further in gaining access to encrypted technologies in the name of intelligence and law enforcement. The group focuses narrowly on the criminal use of encryption, and bases its argument on the false pretense of what the European Union (EU) calls creating “security through encryption and security despite encryption.”

The political debate around encryption in the EU and U.S. continues to evolve as new arguments around anti-terrorism and the fight against child sexual abuse squeeze the conversation into an increasingly criminal frame. More and more political initiatives on both sides of the Atlantic are pointing to encrypted communications as problems inhibiting government access to criminal content and activity, and the EU is even proposing technical solutions to these problems. But the debate around criminality and encryption disregard the essential role it plays in protecting open markets and societies. The stakes are now rising for everyone as this debate plays out.

Can governments actually mandate access to encrypted communication while protecting their most vulnerable populations and services? Technically, no, not without effectively breaking or weakening encryption. This would undermine the citizen-state foundations of our democracies, as well as the tenets of citizens’ fundamental rights, consumer rights to privacy, governments’ data protection and cybersecurity efforts, international trade and e-commerce infrastructure, the notion of confidentiality across sectors and of diplomacy itself. Further, such legislation would put at risk the most vulnerable groups that make EU and U.S. markets and societies free and open, such as journalists, activists, and even children.

One can also challenge the argument against encryption as a law enforcement problem by asking: can access to otherwise secure data actually make a marked difference in a government’s ability to enforce the law against terrorism or child sexual abuse? In other words, what percentage of criminal cases are rendered insoluble by lack of access to encrypted communications? With legislation for lawful access to encrypted data proposed in the U.S., a resolution on encryption adopted and legislation underway to tackle online child sexual assault material through technical “solutions” in the EU, and within the EU a government hacking bill on the table in Germany, such data is sorely lacking even though crucial public consultation or impact assessments have yet to be conducted. They also fail to note a key element in the debate — the increasingly imaginative response of law enforcement, as with Trojan Shield, shows that organized crime and other criminals struggle just like governments and corporations to keep their data secret.

Official demands to weaken encryption has also brought a response several non-government initiatives. The Global Encryption Coalition of civil society organizations was formed to pool research and advocacy efforts toward stronger encryption worldwide, and a tech alliance of small- and medium-sized businesses called Encryption Europe has formed to push for stronger encryption, “zero backdoors” and transparency with regard to encryption algorithms.

After decades of debate, it is high time to connect these transatlantic discussions to de-conflate the issues, share and learn from other sectors and jurisdictions, and assess the proportionality and impact of such legislation on our democratic societies, open markets and vulnerable groups.

This is a subject too important to leave to any one country. The U.S. and EU should now unite to tackle shared criminal problems and agree common solutions. This should extend beyond ad hoc alliances for criminal investigations, like the Trojan Shield sting, to broader issues through a multi stakeholder deliberation process.

Such an initiative would allow multi-disciplinary, cross-sectoral groups to challenge the constricted framing to which encryption technology is being relegated.

It could help both sides

Assess the fundamental rights impact and other major risks associated with such legislative action;
Reach and define safeguards for protecting the quality of encryption technologies;
Develop awareness, understanding, and trust between governments, their citizenries and markets;
Design and build capacity and frameworks to work through obstacles and coordination problems intrinsic to such complex and cross-border crime;
More broadly define the scope of crime prevention and response that is needed to more comprehensively address core problems associated with criminal activities on both sides of the Atlantic.