|
Workshop Format. Please click here for a description of available Workshop Session Formats.
Panel
|
|
Duration of proposed workshop
60 minutes
|
|
IGF 2015 subtheme that this workshop falls under
Cybersecurity and Trust
|
|
Description
In light of the Snowden pervasive surveillance disclosures, there appears to be broader and growing interest in the use and the availability of encryption solutions, particularly those that provide end-to-end protection.
Trusted end-to-end encryption solutions are one of the key tools by which Internet users can protect the confidentiality of their communications in the digital age. They also serve to reinforce user confidence, which is fundamental for a successful digital economy.
At the same time, concerns have been raised by law enforcement and others regarding what impact pervasive use of encryption solutions for Internet traffic might have on their activities. There have even been suggestions to prohibit the use of encryption, to require backdoors for governments, to limit the level of permitted complexity, or otherwise weaken cryptographic standards.
In a post-Snowden era, how do we balance the legitimate security needs of governments to protect their citizens from very real threats - and at the same time allow people to have a level of privacy from government intrusiveness?
Are calls for “legitimate encryption backdoors” technically feasible and/or desirable?
How can we understand and implement the legal notion of proportionality?
Are law enforcement, national security objectives and Internet users’ legitimate expectations of secure confidential online communications compatible at all?
What effect might pervasive use of encryption solutions have on other objectives, e.g. network management?
In essence, how to reasonably achieve public policy objectives such as law enforcement/national security in a world where encrypted Internet traffic is the norm?
|
|
Name, stakeholder group, and organizational affiliation of workshop proposal co-organizer(s)
Nicolas Seidler & Christine Runnegar
Technical community
The Internet Society
|
|
Has the proposer, or any of the co-organizers, organized an IGF workshop before?
yes
The link to the workshop report
http://www.intgovforum.org/cms/wks2014/index.php/proposal/view_public/112
|
|
Subject matter #tags that describe the workshop
#security, #privacy, #encryption, #law enforcement
|
|
Description of the plan to facilitate discussion amongst speakers, audience members and remote participants
The session will bring together stakeholders who are directly involved in the field in the issues discussed. The aim is to produce concrete guidance and solutions on the way forward, leveraging a diversity of perspectives (law enforcement, technical and security experts, civil society leaders, UN agencies, etc.). Outcomes will be shared with the community.
Both onsite and remote participants will be encouraged to share their views and expertise during the discussion.
|
|
Names and affiliations (stakeholder group, organization) of the participants in the proposed workshop
All confirmed:
• Mr. Frank Pace, Sergeant, Digital Forensics Investigative Unit, Strategic Information Bureau, Phoenix Police Department
• Mr. David Kaye, UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression
• Mr. Ted Hardie, Executive Director, Internet Architecture Board
• Ms. Carly Nyst, civil society, former Privacy International, international privacy expert
• Mr. Michael Nelson, Internet-related global public policy issues, CloudFlare
• Ms. Sanja Kelly, Project Director, Freedom on the Net report
• Ms. Xianhong Hu, intergovernmental, Division for Freedom of Expression and Media Development, Communication and Information Sector, UNESCO
|
|
Name of in-person Moderator(s)
Nicolas Seidler, Internet Society
|
|
Name of Remote Moderator(s)
Raquel Gatto, Internet Society
|
|
Name of Rapporteur(s)
Dan York, Internet Society
|
|
Description of the proposer's plans for remote participation
Remote participants will regularly be involved in the course of the session. The use of social media and hashtags will be used to promote remote participation and input.
The session will bring together stakeholders who are directly involved in the field in the issues discussed. The aim is to produce concrete guidance and solutions on the way forward, leveraging a diversity of perspectives (law enforcement, technical and security experts, civil society leaders, UN agencies, etc.). Outcomes will be shared with the community.
Both onsite and remote participants will be encouraged to share their views and expertise during the discussion.
|
|
Background paper
background paper
|
|
Agenda
A. Introduction by moderator (5-10 min)
-----
Background and context on encryption & law enforcement debate, set scenario discussion, introducing speakers
The moderator will set the scene for the discussion by introducing a scenario - a world where encryption is ubiquitous.
Note: The questions in B will explore this scenario, e.g. how panellists see that future, when (or if) they predict it will be achieved. We anticipate different perspectives on what this future might look like and its implications.
B. Moderated discussion & interaction with audience (50 min)
----
1. How did we get there?
*What year is this? (in 2 years, 10 years, 50 years,…?)
*What drove us to this future? (e.g. what were the motivations) What steps led to this scenario? (user demands, business conduct, country leadership, technical push?)
*What obstacles/impediments do you imagine were encountered on the way? How were they handled? (e.g. laws banning the development; sale, development and use of encryption (or types of encryption))
2. How would this future look like?
*At the technical level (data at rest, in transit, layered, end-to-end, key escrow, etc); at the geographical level (e.g. worldwide or more limited); from the business perspective; from the social perspective; from the law enforcement perspective; etc?
*Would ubiquitous encryption protect everyone? From everyone?
*What would using encryption mean for different actors? (e.g. activists, businesses, consumers, etc.)
3. How would law enforcement operate in this scenario?
*Will they be able to achieve their goals? How? By means other than data decryption?
*By working with private sector? What role would companies play? With others?
|
|
Key Issues raised (1 sentence per issue):
The session focused on the broader and growing interest in the use and the availability of encryption solutions, particularly those that provide end-to-end protection.
The question posed to the forum focused on how to reasonably achieve public policy objectives such as law enforcement/national security in the scenario of a world where encrypted Internet traffic is the norm.
Key issues highlighted by the panelists included: How long it will take until encryption is reasonably ubiquitous, the moral and ethical differences between targeted and pervasive surveillance, the role of traditional law enforcement mechanisms in combating criminal activity which uses encrypted communications, and how to build encryption systems that the public can trust.
|
|
Please describe the discussions that took place during the workshop session (3 paragraphs):
All panelists agreed that there is both a need to ensure the security of citizens and to protect the confidentiality of online communications. Views diverged however on whether exceptional access for governments to encrypted material, which is generally requested by law enforcement agencies to facilitate their work, would be effective, technically feasible and proportionate.
Many speakers agreed that drivers that could lead to a world of pervasive encryption could include public scandals that could trigger policy change (e.g. broad legislation restricting encryption, CEO or political figure being victime of hack due to weak encryption, similar cases to US Office of Personnel Management data hack). Pull factors could include companies further deploying end-to-end encryption as a competitive advantage to foster customer trust.
An important distinction was made between what law enforcement does in the investigation of specific crimes and what intelligence services might do as a matter of bulk data collection and the interception of signals, whether that be encrypted or not, for the use of objectives that are different. Crime investigation would usually focused on data at rest (mobile device, computer, etc).
The discussion raised the fact that while full access to unencrypted data would likely make LEA’s job easier, there are alternative means that law enforcement can use, and is using, to target criminals. This includes targeting other parties that are involved in crimes, using metadata to track patterns and relationships, and the employment of malware in exceptional cases. However, all these means usually require extensive legal thresholds for their use. Some raised that the increasing number of connected objects will also offer LEA with new means to investigate crimes (while also raising further privacy concerns). It was also raised that technological means may not always replace investment in employing human intelligence. A related point was made that there should be a similar level of barriers that were there before the Internet when it comes to intrusion in people’s privacy to investigate crimes. Social practices should not change as a result of technical aspects.
Several voices raised questions on whether it would be possible for governments to have exceptional access to encrypted material, as there does not seem to be an effective and widely acceptable solution currently. Technical insights indicated that strong encryption with forward secrecy would likely be unbreakable. However, data sitting at rest usually needs some credentials that could be retrieved from a device. Example was given about banks that are required to build their data systems in ways that will support law enforcement when requested.
In addition, it was highlighted that many countries actually use national security arguments as a way to censor information and track political dissent, so it is important to contextualize the debate on the understanding that exceptional access to encrypted material, assuming it was possible and desirable, might sometimes be used in ways that will explicitly restrict fundamental rights, including freedom of expression.
Eventually, with the likelihood that encryption will more widely spread and available in the next 5 to 10 years (with possible different types of encryption at different layers), a key conclusion from the workshop was that the debate should also focus on building new trust frameworks between law enforcement and citizens. A suggestion was made that the vision of a world with encryption by default (that protects users’ confidentiality and trust) could be compatible with systems where citizens could have the opportunity to contribute to community efforts towards crime prevention.
|
|
If there were presentations during the workshop session, please provide a 1-paragraph summary for each presentation:
-
|
|
Please describe any participant suggestions regarding the way forward/ potential next steps/ key takeaways (3 paragraphs):
Please refer to previous item 17
|
|
Estimate the overall number of the participants present at the session:
80
|
|
Estimate the overall number of women present at the session:
About half of the participants were women
|
|
To what extent did the session discuss gender equality and/or women’s empowerment?
It was not seen as related to the session’s theme and was not raised
|
|
If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion:
No information provided
|