Cybersecurity, Cybercrime & Online Safety
Cyberattacks, Cyberconflicts and International Security
Organizer 1: Pedro Amaral, 🔒Law and Techonology Research Institute of Recife
Organizer 2: Marcos Cesar Martins Pereira, Law and Technology Research Institute of Recife (IP.rec)
Organizer 3: Paula Bernardi, Internet Society
Organizer 4: Olaf Kolkman, 🔒
Speaker 1: Masayuki Hatta, Civil Society, Asia-Pacific Group
Speaker 2: Mariana Canto Sobral, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Prateek Waghre, Civil Society, Asia-Pacific Group
Speaker 4: Pablo Bello, Private Sector, Latin American and Caribbean Group (GRULAC)
Speaker 5: JULIANA FONTELES DA SILVEIRA, Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)
Olaf Kolkman, Technical Community, Western European and Others Group (WEOG)
Pedro Amaral, Civil Society, Latin American and Caribbean Group (GRULAC)
Marcos Cesar Martins Pereira, Civil Society, Latin American and Caribbean Group (GRULAC)
Panel - 90 Min
A. What are the effects of a country/region's Internet policies on other locations? B. How can the Internet ecosystem / critical infrastructure and human rights be affected by the extraterritorial effects of anti-encryption policies from other countries? C. Is there a risk of internet fragmentation or of the encrypted services offered? What are the effects of this on freedom of expression and the right to privacy and confidentiality?
What will participants gain from attending this session? The session aims to offer participants a fresh perspective on addressing the problem of legislation that seeks to weaken the use of encryption. The current debate, primarily focused on the Global North, tends to overlook the potential unintended global effects of such legislation. We strive to provide a new viewpoint by equipping attendees with both theoretical and practical tools to comprehend how policies designed for the Global North may more or less unintentionally impact the Global South. By doing so, we aim to empower the audience to think critically about policies and legislation, considering the implications of these unintended consequences.
Since 2022, several legislative proposals have been threatening end-to-end encryption, especially in the Global North. In the United States, the EARN IT Act has been reintroduced, but there are also the STOP CSAM Act and the Kids Online Safety Act (KOSA) circulating. In the European Union, the proposal of ChatControl, authored by the European Commission, has been advancing despite strong internal and external criticism, including from the German federal government. The Online Safety Bill in the United Kingdom poses a threat to strong encryption, although the government consistently asserts that there is no such threat. In response, various providers of encrypted services have announced that they would have to leave the country or accept being blocked. Despite these laws focusing on a specific region of the globe, their effects are expected to go far beyond, given that the Internet is global. These demands will impact the services offered there but also in various other regions of the world, considering the geopolitical influences of the Global North. The reduction in security through the weakening of encryption is one of the extraterritorial effects that may occur with the aforementioned legislative proposals. Thus, these proposals not only threaten the rights of citizens in their own countries but also citizens of other countries, as well as the Internet ecosystem itself. The proposal here is to gather experts in Internet policy and encryption to analyze the legislative proposals in question and assess how they may impact other regions of the world. Of particular interest is evaluating the impacts on the Global South, given its contexts of institutionalization and democratic consolidation, human rights, as well as the Internet and its available services.
We anticipate that it will help us identify risks and challenges to strong encryption in the Global South, which may arise as an unforeseen outcome resulting from the ripple effect of legislation undermining encryption proposed in the Global North. The anticipated result aims to increase awareness and unite stakeholders engaged in global Internet security and defense, with the objective of devising strategies to safeguard the fundamental rights of privacy, confidentiality and free expression that are crucial for every individual, irrespective of their location. These rights enable individuals to fulfill their responsibilities, voice their opinions, and ensure accountability of those in positions of power, all while being protected from unwarranted intrusion, persecution, or oppression. We expected to produce a policy paper that will be published in the Encryption Observatory, a project from IP.rec, with key takeaways from the discussion, data gathered from the public interaction and policy recommendations.
Hybrid Format: The workshop will be organized in such a way that the on-site and remote moderators engage in dialogue through a video conferencing platform. The moderators will facilitate communication between the two modes, relaying questions from online and on-site participants to the audience and speakers. We will allocate initial time to utilize interactive tools with the audience from both modes, such as Mentimeter or similar tools, aiming to conduct surveys and word clouds on the topic, addressing aspects such as knowledge of cryptography and understanding of 'side effects' in cryptographic policies. The workshop will include guiding questions for all speakers, both remote and on-site, with equal time allocation (12 minutes) managed by the respective moderators. Finally, there will be dedicated time (30 minutes) for comments and discussions on the panel, divided into two segments, with two questions allocated to the on-site mode and two to the remote mode.
The interconnected nature of the Internet means that weakening a service in one region implies a weakening effect for all users, as the implications are not constrained by borders.
The Global South tends to follow legislative trends set by the Global North, including those that weaken encryption.
Encryption should be seen as more than just protecting privacy but, in a broader sense, as a human rights matter that guarantees freedom of opinion, freedom of expression, and other human rights.
In a multi-stakeholder position, we need to address the topic and ensure that actors understand that their policy choices have effects that extend well beyond the originally intended region.
The workshop Beyond North: Effects of weakening encryption policies began with an introductory speech by the in-person moderator Olaf Kolkman (Internet Society) regarding legislative proposals that could impact the use of strong encryption. Among them, proposals from the Global North, such as the United States, European Union, and United Kingdom, were mentioned. However, as emphasized, the impacts extend beyond the regions from which they originate, considering the global nature of the Internet.
At the initial panel stage, an activity was conducted through the Mentimeter platform to understand the audience's point of view regarding the risk of fragmentation in services offering encryption, should such laws be passed in their respective countries. On a scale of 0 to 10, the average result was 6.4. Another question posed to the audience aimed to understand how the Internet ecosystem and human rights can be affected extraterritorially by extraterritorial policies. The responses formed a word cloud, with words such as 'fragmentation,' 'human rights threatened,' 'security risk,' and 'confidentiality issues.'
After the interactive moments, the panelists had the opportunity to make their contributions. The first to speak was Professor Masayuki Hatta, an economics professor at Surugadai University, seeking to understand how the effects of North Global encryption policies can impact the economies of the Global South. Professor Hatta reflected on the topic from his perspective originating in Japan and from the viewpoint of people who use the services. In his opinion, few people are aware of encryption or know that they are using encrypted services. According to him, this creates a problem regarding the effects that anti-encryption laws create, as sometimes these people may not even be aware that encryption is being prohibited in their locations.
The next guest speaker to address the audience was Mariana Canto, a visiting researcher at the Wissenschaftszentrum Berlin für Sozialforschung. When asked by the in-person moderator how the power dynamics of the Global North could impact the development of cybersecurity policies in the Global South, Mariana Canto began her argument by highlighting the practice of the Global South following trends of the Global North and the importation of narratives. As an example, she pointed out the General Data Protection Regulation (GDPR) and the Lei Geral de Proteção de Dados (LGPD) from Brazil.
The speaker also emphasized the impossibility of discussing regulation without connecting it to the real world. In her analysis, the current concept of privacy is of white and middle-class origin, a privilege for some, while people of color are systematically surveilled.
Regarding the agenda involving encryption, Mariana Canto emphasized the fight against the dissemination of child sexual abuse material. The legislative proposals addressing this issue, originating from the Global North, impact the Global South, in a way that the narrative of law enforcement's inability to act facilitates the insertion of surveillance tools.
The third speaker was Prateek Waghre, Policy Director of the Internet Freedom Foundation (IFF), who was asked about India's national sovereignty policies relevant to disputes over encryption usage. His speech began by pointing out the importation of legal instruments from one part of the world to another, even if they have different underlying objectives.
Drawing on a German case, with the Network Enforcement Act (NetzDG), the IFF director highlighted the process of importing elements of the law by other countries, as noted by researchers, especially more authoritarian governments, which make direct references to NetzDG as inspiration for their legislative projects. Some of the inspired projects require the local presence of foreign companies to operate in the country, sometimes used to threaten these companies and their employees.
Discussing the case of India, the speaker brought up various digital laws, which in his view, have negative aspects. He highlighted the draft Indian Telecommunication Bill, the Digital Personal Protection Act of 2023, and the effort to rewrite intermediary liability with updates. In his assessment, a common thread among them is a significant level of government control (union executive) with little oversight perspective.
The next to speak was Pablo Bello, Director of Public Policy for WhatsApp in Latin America, who was questioned by the moderator about the company's assessment of the potential risk of Internet fragmentation of encrypted services due to Global North policies. In his assessment, yes, there is a risk of fragmentation with the imposition of security measures, as if one part adopts lower standards, the implications affect everyone.
According to Pablo Bello, the perspective of the Global South should be heard, as decisions at this level have implications for all countries. Citing data from The Economist about democracy, only 8% live in absolute democracies, mostly in the Global North, while 55% live under authoritarian regimes, which could pose risks to those populations in the case of cryptographic weakening. The speaker advocates the need for a multisectoral approach to the problem.
The final speaker was Juliana Fonteles, a consultant at the Inter-American Commission on Human Rights, who was asked about how extraterritorial effects of anti-encryption policies could influence rights protected by the American Convention. Her intervention began by pointing out that the notion of the right to privacy is different from other countries and is not normally seen as the most important. Many countries lack laws regulating the protection of personal data that could ensure safeguards on the treatment of personal data by state and non-state actors, which is central to anti-encryption policies.
She also highlighted the history of Latin American and Caribbean countries in violent repression of political demonstrations, persecutions, journalist assassinations, persecution of human rights defenders, and the criminalization of LGBTQIA+ individuals. Information about the behavior of these people is all recorded in private communications protected by encryption. In her role, she has received various reports from journalists and human rights defenders of state surveillance practices through spyware to persecute them.
In this case, Juliana Fonteles argues that cryptographic weakening affects not only the right to privacy but should be considered in a broader spectrum as impacting freedom of expression, access to critical information, the right to opinion, and other rights.