You are here

IGF 2017 - Day 3 - Room XXI - WS 201 State Led Interference In Encrypted Systems: A Public Debate on Different Policy Approaches

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> CARLOS ALBERTO AFONSO:  Okay.  Good morning, everyone.  And the proposal is this session and, um, I am one of the two moderators.  The other is Christine Hoepers.  And our title is State‑led Interference in Encrypted systems:  A public debate on different policy approaches.  I hope you all agree with the title.  And I would like to pass on to Christine so she can present our panel.  Okay?

>> CHRISTINE HOEPERS:  Good morning, everyone.  Thank you for being here.  I hope we get more people through the line.  The room will be with more people.  As Afonso said, I work at said Brazil in PR.  I would like to introduce our panel and explain a little bit about some rules that we put on and really our main goal is to have as many people to participate and have time for you in the audience to be able to interact with the panel and the panel to interact with each other.  We will have in the beginning two presentations about policy approaches and one will be by Ana Buxton from the foreign office.  She is the foreign office specialist in cybersecurity Internet policy in the U.K.  And as part of this office, she provides advice and allows us to inform policy on Internet‑related issues.  And the other presenter will be Nina Johnson.  She is the policy in the security and justice.  She is a specialist in international law especially humanitarian law and criminal law.  And our ‑‑ this ‑‑ two presentations will be 10 minutes each and this is really to seat the discussion about state wide policies in cryptography.  And we have a panel with people from different backgrounds and bringing their own perspectives into the issue.  In your far right, I will start with them.  Christoph Steck and Riana Pfefferkorn.  And we have Monica Rosina at Facebook Brazil.  We have Neide Oliveira.  And Sunil Abraham is for the Internet Society.  After we have the two 10‑minute presentations, we will open for the panel for them to do any remarks or to bring their perspective into policies.  Each panelists will have two minutes to talk and then we will open for the floor and we will always have that timer on top there marking two minutes for everyone.  So it's really because we want to have as many people as possible participating and the replays will be two minute each.  About we open for questions or comments, we're going to get three at a time just in the interest of time.

So I would like to just give an introduction.  When we proposed this panel, I think this is a topic cryptography and policy interference or the need to have or not have is a very hot topic today.  In the internet, it was already touched on some other panels this week.  We were discussing order topics and this came.  I have technical background.  So one of the things I do want to discuss here is really to explore policy options.  The reasons for those options, the content and also to explore the technical issues and difficulties into implementing pauses, sometimes impossibilities and try to bring what are the consequences of these policies intentional and non‑intentional.  I think this will be a very nice discussion for us all to have.  So, I would like to test the work.  Could be to ‑‑ oh, my God, Elinor Buxton, you have 10 minutes to present.  Thank you.

>> Elinor Buxton:  Hopefully it won't take 10 minutes.  I thought I would set the scene a little bit in terms of our general position on encryption and talk a little bit about legislation in the U.K. and where we stand at the moment and then some of the issues that we face and some of the discussions that we have around these issues.  So, let's be clear.  The British government does support strong encryption.  And billions of people will use it every day for a range of statuses from banking to commerce to communications.  So that is our position and quite firmly say.  It is also really important for protecting vulnerable individuals.  And in some cases, we are actually only aware of particular war crimes have happened because encryption was used.  And my department foreign office in the U.K. has actually provided funding to train up people on the east end encryption overseas for communications.  It is important for our own work.  So we do a number of international negotiations.  What's up is our tool of choice.  I'm sure there are some good ones that I am not privy too.  So, you know, having secure communications through encryption is really, really important to us and to everyone in the country.  So that is where we sort of stand.  We have particular legislative powers on encryption.  So a few years ago, we started refreshing essentially our surveillance framework.  It is called the investigatory powers act.  And that actually repeats the powers that we had in our original legislation from 2000 which is referred to as ripper.  Under those provisions, telecommunications operators only have to provide access to data in the clear where it is necessary to do so to comply with their obligations when they start with relevant warrant or authorization.  So essentially, what the act allows for and I'll read it a little bit so I got the detail right is that we can serve a technical capability by the directory of state.  So that has to be approved by an independent judicial commissioner and the purpose of that is to make sure that telecommunications operator maintains the required capabilities to give effect to warrants and notices quickly and securely.  And as part of that, the act makes clear obligations may be imposed on the relevant operator to maintain and remove encryption.  We also have secondary legislation which is currently being put before parliament right now.  And those are called technical capability regulations.  Those sat out the precise obligations that such a technical capability notice can impose.  And that provides an obligation can be imposed to remove encryption or to provide communications in intelligible form.  It is relatively flexible in the way an operator can comply with that.  A quick word on enforceability.  So those notices are provided by civil proceedings.  Overseas, it's a different story.  We aren't able to enforce them in the same way.  Only notices that provide for interception and targeted capabilities on communications data, which is the who, when, what ‑‑ the who, when, what of communications isn't enforceable overseas.  And so we cannot enforce a notice on equipment interference which is also terminology for how we talk about lawful hacking, I guess or bulk powers overseas.  So that notice has to be necessary and proportionate.  And it must be practical to do so.  So the government has to consider what steps are reasonably practical for afternoon individual telecommunications operator and that has to take into accounts a range of factors including the cost to the operator of complying with that and the technical feasibility.  So any decision on that front has to have regards to particular circumstances of the case recognizing that there are many different models of encryption and what might be practical for one operator may not necessarily be for another.  So that in a sum is all sort of legal power on encryption.  And actually if you think about it in detail, it is relatively limited and especially when you get down into the detail of what is reasonable feasible means.  It's not clear how far it can go.

I mean, obviously we continue to face difficulties.  So I think as I caller from the Netherlands will say, this is a challenge for us.  More and more communications are end to end encrypted where even the provider does not have site of the communications and the provider cannot comply with a lawful order when it has been authorized independently is that a real challenge for us.  And it's a real challenge for our agencies.  We faced a number of terrorist attacks this year.  One of the most receipt ones was outside my house.  So there is a genuine threat that we need to be able to deal with and we need to be able to stop terrorist attack planning where we can.  That doesn't mean that these services are going to be used in all the attacks, but there may be instances in which they are and it is frustrating immensely for our agencies and for law enforcement to the companies to not be able to comply with lawful orders.  We think at the end of the day we don't want to have inaccessible to all communications, but we need to insure that people have lawful access to communications that they need to keep us safe.  And that access should be targeted and should be specific.  So we want to work with companies to fulfill our collective responsibility to protect us from terrorists and in order to commit serious crimes while crucially allowing users.  That is really important to us.  We rely on the communications just as much as everyone else.  This is not about creating back doors whatever that means.  That's a really unhelpful term or banning encryption.  So you will have seen if you follow anything around U.K. politics, you will see ministers talking about this quite a lot.  We think on a dialogue between government and industry on this issue is crucial.  And we want to be able to live up to the responsibilities.  Companies don't want their services to be used to ‑‑ company have made while implementing encryption with the services.  That's where we are at the moment this.  Is ongoing problem.  Obviously the U.S. tried to litigate with the FBI and other countries like Germany and France have approached the European Commission with the suggestion for legislation.  But I think we recognize that this is a very difficult issue to sort of roll back the tide.  Of course there's issues around open source technologies.  So, you know, it would be safe to say that it is obviously not true.  Your average terrorist can design their encrypted app and we recognize that.  Only there's only so much that you can actually do about that because that information is out there.  The technology is out there.  And that is not something that government can control.  But we can work with these companies.  They and their services are used by terrorist in some circumstances.  So that is why we are aging our efforts, but please do not think that is where our evidence base comes from.  We think that will solve this as a problem.  We're not really looking at this as a problem to be fixed.  But what we're asking for is how we can work with companies to identify what can be done in an effective way that does respect users rights privacy and does continue to respect human rights.  I think, you know, overall the U.K .'s approach ‑‑ well, my job essentially is to make sure what we're doing domestically signs up.  We co‑sponsored the 2012 on the protection and human rights online.  We have done subsequent versions.  We signed up last year to the German and Brazilian resolution on the protection of privacy.  We do genuinely endorse those resolutions and we do support them because we recognize that the encroachment on privacy is something that's happening world wide and we need to continue to protect them; however, how we reconcile that and I don't want to use the word balance, but the he we reconcile the need to keep people safe is an issue.  We will consider dialogue with companies and Civil Society groups and individuals to make sure we've getting to the right confusion.

>> CHAIRMAN:  Thank you very much.  Nina, you have the floor.  Thank you.

>> first of all, apologies for my choice.  I had some cough.  So maybe sometimes I go a bit back.  Thanks for the invitation.  We're glad with this opportunity to share with you our international position.  My experiences that we encountered in the process of defining our national position and yeah.  With regard to the many beautiful, positive, but definitely also challenging aspects of cryptography.  I just as a short start with a final outcome, it does find at this point in time it is not desirable to take any restrictive measures as regard to availability and use them in encryption in the Netherlands.  We have been promoting this position in E.U. settings; however, what I want to do now is take you along in the process which led to this position.  Why?  Because I think that in my opinion, it shows how a multi‑stakeholder platform or process may feed into policy processes.  In my case, it was a stakeholder process, but the IGF is one.  Other example of that even though the policy process itself was government only for very good reasons.

For the last five years, developments in cryptography have been mentioned in the annual cyber assessments.  We are a national cybersecurity and publishes an assessment which is drafted with over 140 partners from law enforcement, academia, security companies, intelligence and the fact that encryption was featured in the assessments reflected a sort of duality.  On the one hand, the IT practitioners that very strong encryption for the protection of the integrity and assistance where law enforcement indicated that the same encryption them kept them from criminals.  So in 2015 with the sign we wanted to drop the policy paper in which the dilemmas around encryption were described, and which provide the opportunity for a physical position to issue determined.  And we started an interministerial process that involved almost all ministries, but definitely economic affairs, justice and security which include cyber crime department, in10al affairs and intelligence services, law enforcement, defense and foreign affairs and we try to remain as concise as possible.  But in the process, we really wanted to spin out the details and consequences of all policy actions.  So it took us over six months to basically reach the final position.  We doesn't have to start from scratch because several departments had already had cases, incidents and may start the policy choices.  The first dilemma was one which I explained to what extent to dough involve private sector.  We didn't want to develop a free internal dialogue which confidential information can be shared as well.  For example, on methods and the information that you want, on investigation techniques, so that was the reason we decided it should be a government only process.  And it resulted in a formal position on for January 2016 and this paper is translated in English.  So we can find it on the website of our national cybersecurity center.  What dilemmas did we encounter and what did we spin out?  As Elinor said, in our opinion as well, the balancing skill is not a very good analogy.  Most of the times the interests that are involved can be met both at the same time.  Some time is useful to use at least sort of an indication of what different interests and what struggles do you encounter to use the dilemmas.  So encryption is important for the economic growth.  Innovation offers protection and information flow.  It is necessary for privacy, confidentiality of communication and for cybersecurity.  However, also the Netherlands is experiencing serious problems in law enforcement and intelligence gathering through to encryption.  So one of the dilemmas called security versus security being signer security assistance, data protection, forms ‑‑ these are forms of public and national security where the incentive would be to use a strong cryptography as possibility.  Whenever data breaches take place, this may cripple society and things come to a hold.  These are forms of public and national security.  On the order hand, law enforcement, (inaudible) intelligence gathering also forms of public and national security.  They try and break encryption in order to analyze the data from criminals and terrorists.  Therefore, they're sort of dilemma security verse ruse or security and security.  Another dilemma which is both security versus security as well as privacy versus security to protect personal information to be able to free and express one self and enjoy the privacy to be able to do objective journalism and also the need to protect state secrets, company secrets and the need for government to protect communication with its citizens in an E‑government society to communicate for diplomacy and the need for companies to store data to back up and choices are safe to protect innovations.  Cryptography really provides necessary security for the protection of this information and privacy and protection of personal information and communication.  The same persons in organizations may also really want state to protect their personal security when they fall victim to a crime or worse to a terrorist attack.  Companies that did report that are still in company secrets to investigate and prosecute to have access to the necessary information to have the powers and resources available to investigation, intelligence and security services that they are suited for the current and future digital reality with effective (inaudible) to that information.

In addition, the restrictions are allow as long as they meet the requirements of constitution and the European chart and human rights and infringements are allowed if it serves legitimate purpose regulated by law.  With that in mind, we did look at the means and the possibilities for government to insure that the interest on that.  So what can you regulate?  What extent can you have on the consequences with or without formal regulation.  What should it look like?  What distinctive forms and can this I be managed in a way by regulation.  It would only be effective for service provider and can only be effective if it has a decryption key or owns cryptography and what alternative options do you have that can work around encryption instead of weakening in a general sense.  And in our position, there are currently no options in a general sense.  For example, by standards to weaken encryption products by comprising things that use encryption.  Introducing an access to an encryption product would make it impossible for services to inspect the encrypted file, but digital systems become vulnerable just as well.  So that's why we're (inaudible) at this point in time it's not desirable to take any restrictive legal measures as far as development, available and use of encryption.  We do find it really important to work for ways around this.  So we want to continue to dial up with providers, but within government to find ways to get to development encrypts information by means of policy or operational methods by using each other's expertise and networks.  For example, in the content with service providers over the top players and streamlining legal assistance procedures in ways to get into devices before data is encrypted.  Only with the necessary safe guards, check and oversight and legal regulation to have dose competences.

Now the organizers asked me to reflect a little bit on the European developments in this regard.  Encryption that's been a topic for discussion in several council formats.  They have raised the issues and they were confronted with a national level were played out on the European level as well.  There are several initiatives being developed.  They're not finalized yet mostly.  So there are legislative proposals in regards to E‑privacy, data protection, E‑evidence, law enforcement as well as policy proposals for dialogue.  Countering recruitment, or operational solutions such as training for law enforcement and sharing of best practices for law enforcement to work around encrypted information.  So with that, I hope to have given you some insight in how to process what dilemmas we touched upon and obviously as Elinor said, this is not the end.  We will be meeting different and new challenges as cryptography develops further as digitalization of our society develops further and legislation needs to be updated and we ‑‑ yeah.  We will have new intelligence to come over.  That's why I hope also to hear some interesting views from the floor.  Yesterday afternoon, for example, we attended ‑‑ I attended a very nice interactive session where we were invited to think about the actual policies that are both human rights respecting and at the same time very effective.  And it led to a discussion on how you can be engaged in national policy processes.  So I would like to hear from you how you are engaged in your national processes or for example the safe guards that you have promoted nationally and how you work around that.  So it will be interesting to hear.

>> CHAIRMAN:  Thank you very much.  I thought it was very interesting to see this policies for the people that were in line and didn't ‑‑ were not able to arrive in the very beginning.  I'm just going to refresh the format of the panel.  We had a presentation of two policy options and how countries are ‑‑ what they're considering and what are the dilemmas.  We are going to open for the panel if they want to make any remarks, any other comments about these questions.  Two minutes for each person.  Then we're going to open for the floor and we're going to be with some time keep think of two minutes for every division because we want to have as much interaction as possible here.  So, ah, I'd like to open for the panel if anyone would like to make remarks.  We're not going to call people by names and saying you have to say, but if nobody volunteers, we can actually just ask someone to say something.  So anyone would like to go first?  Please.

>> So in preparation for this panel, I listed on my notebook nine different policy options that governments could take.  Sometimes they're distinct from each other and sometimes they're overlapping.  And two presentations that we heard have covered several them.  So I'm going to go quickly through the ones that haven't been covered.  In the developing world, people are still talking about prohibitions, not so much prohibitions of encryption, but prohibitions on certain standards and key (?).  The old debate around key escrow still exists.  Governments are age to go to standard settings and mathematicians and compromise encryption standards while they're being developed under public scrutiny.  The next thing is that some governments also go to standard setting organizations like the IETF and ISO and through the process of consensus building block the development of strong encryption standards.  For example, TS1.3 is an example of that type of thing.  But then I also wanted to talk about two kind of positive policy options which I would like to see.  Positive interference by governments especially again from India, the tests requiring government offices to use encryption both in order to keep the communications confidential, but also for non‑(?) purposes.  Investing heavily around mathematics and cryptography.  Thank you so much.

>> CHAIRMAN:  Thank you so much for raising these important points.  Monica, do you want to go?

>> MONICA GUISE ROSINA:  Thank you so much for having me on this panel.  Interference?  It is an honor to represent Facebook at this panel.  I just have a few words to say.  At Facebook strong encryption serves a vital role in securing our infrastructure and protecting our users personal data and communications.  When Facebook uses encryption, the objective is not to frustrate law enforcement, but rather to create secure networks that protect our users.  It is our position that deliberately introducing flaws and encryption technology substantially undermine cybersecurity as a whole because it is not technologically possible to make it easier for law enforcement to have encrypted content communications without making it easier for cyber criminals and foreign governments to do so as well.  In light of the receipt high profile data breaches, this becomes Salient.  Internet platform providers and bio app developers or other restrictions on the user technology will be at a significant competitive disadvantage relative to their foreign counter parts that can continue to offer unincumbered products of having industry and opportunities.  One trend that we have been able to see is that one ‑‑ with one app or services block, many users will switch temporarily or permanently to a readily available alternative.  In the case of the Brazil blocking case, many users temporarily switch to telegram.  Like I said, this not only artificially undermines competition, but in many cases, alternative services located in other jurisdictions may either be unable or in many times unwilling to cooperate with government.  Having said that, I would just like to highlight that there is no place on Facebook for terrorism or child exploitation.  Facebook is responsive to law enforcement requests and complies with applicable laws.  And that include closing account.  When we receive credible reports of criminal activity providing training to law enforcement officials on our platform policies and practices, we have recently been doing that in Brazil a lot.  And disclosing unencrypted user information and all the metadata that we're able to provide in response to valid law enforcement requirements.  You will continue to work in partnerships with key stakeholders.  We deeply respect law enforcements ability to work and keep our community secure.

>> CHAIRMAN:  Thank you very much.  Another good point and I think the point about metadata is something that is usually not discussed.  Elinor said criminals can go to develop their own crypto and then you use metadata also in those cases.  So it is some of the issues that need to be raised.  I will pass it to Neide.

>> NEIDE OLIVEIRA:  Good morning.  This mystified the idea that many people have among providers, lawyers and okay and academics.  To end that encryption, for instance, it was used by the federal prosecution used and served long before by what's up.  That is the most user app in Brazil.  Every good (?) has the right to hear that.  Regardless of the service used, for the security after that and the exchange message, this does not mean that people who committed crimes by means of encrypted servers should be moved from their acts.  Therefore, we understand that the providers that use any type of cryptography in corporation, we have the law enforcement authorities must together seek the safest manner.  We felt the fact in other users allows investigation of those who are misusing their service.  In this discussion about cryptography, what matters to the prosecution serves is to determine to what extent an Internet application provider which operates in the country may cooperate in order to prevent the commission of crimes in violation of rights conduction to that effect possible and precise vacations if they are needed.

>> CHRISTINE HOEPERS:  Thank you so much for giving this perspective.  So this side of the panel.  This side is more talkative.  So I don't know.  Let's see if you can ‑‑ because this one is making the whole phone noise.

>> Can you hear me?  Okay.  All right.  I guess it's working.

>> CHRISTINE HOEPERS:  Let's go for the plan.

>> Okay.  Thank you.  I'd like to start by quoting a letter that was signed by more than 80 organizations including Access Now.  It was sent to ministries.  While the challenges of modern day security are real, proposal to undermining threatens integrity and security of communications tool that are relayed for international commerce, banking, the free press, government, human rights advocates and individual around the world.  In short, encryption is key for security, key for economy and key for human rights, which is why any proposal for encryption must be rejected.  For many years, we saw the need for government.  Those mandates have been found disproportionate twice by the European court of justice.  They were created and used to allow authorities around the world restriction information.  These have been found slow and burdensome, but rather than focusing and upgrading those, we are seeing a growth and a rise of proposal from government and increasingly focusing in government hiking.  This has proven implication for human rights.  We have seen this discussion happening in the context on the access to E of debate.  I would like to point out in the race to gather data, we often qualify very quickly all of the data evidence even before there had been access and can be qualified as such.  Access Now is published a report on human right response to government hiking in which we call for a global presentive ban on hiking.  We recognize that several government are engaging in the practices for intelligence gathering and we put forward a series of safe guards for depresses and oversight that must be in place in the rare instances where government hiking can be justified.  Most types of government sponsored hiking are amplified by public debate on this issue.  I would like to thank the U.K. and Dutch government for engaging in this discussion.  Thank you.

>> CHRISTINE HOEPERS:  Thank you very much.  So are the ‑‑  

>> I guess we're going down the line now.  I want to talk about responsibility.  I think the U.K .'s outlook on the encryption debate is very similar to the one in the United States at least as we hear from federal officials in the United States in terms of how they frame a discussion.  Elinor talked about companies living up to responsibilities, but she doesn't specify what the responsibilities were.  It is not a term that exists in a vacuum.  You have to be responsible to somebody or something.  I take it from her comments that she used technology companies in Silicon Valley being responsible and serving the names of government in term of maintaining access capabilities for law enforcement.  It is also an interest of tech companies to be responsible to their user, to be responsible to the broader energy and innovation and new systems in development and to the future.  I think that is something we heard much more from Nina with regard to the your look of the dutch government where it really sounds like the dutch government views itself being responsible to its citizens and to the future prosperity and thriving of the dutch economy and dutch society and end up being responsible for critical infrastructure and protecting IP and protecting individuals into their privacy.  I think we heard a lot about responsibility to include various stakeholders in determining what the state's policy should be in the Netherlands.  I think that is a really noteworthy compare and contrast in terms of thinking about what role governments have in terms of setting other encryption policy, which way responsibility flows and what the role should be.  Thanks.

>> CHRISTINE HOEPERS:  Thank you very much.  Demi, would you like to go?

>> DEMI GETSCHKO:  Thank you for the invitation.  I will say some thoughts about the issue without any relation to any government.

First of all, I think it is all right for anyone to use encryption.  I think it is different that the individuals choose to use and they view the encryption provided by platforms that are two different things, but, of course, I think you have the right to use encryption all the way.  I think also a weak encryption is worse than no encryption because the weak encryption will give you a sensation, a feeling of security that is not true.  And you will feel secure and in a right, you are not secure anymore.  I am totally in favor of the strong security ‑‑ I am in favor of the strong security.  Just to mention that the Internet in some way trying to defend itself all the time, we don't have heard about encryption years ago as much as we are hearing now because of the note and think and because of the privacy and so.  Every time we aim some kind of goal and aim this goal going out in a bad way, we open the way from the opposite process than if you begin to violate privacy to get navigation date.  They will use a browser without this kind of things like door for example.  If you try to get the search data the user will try to use the goal or other softwares.  If you try to read the (?), the user will use cryptography.  And this is the natural way to move forward then.  In some way, I just want to warn that if you take ‑‑ if we take the wrong measures, these measures will lead us to the wrong objective, the wrong goal.  Then, of course, I am totally in favor of strong cryptography.  I think it is in our total right to use this to provide protection to our privacy.  And you have to avoid the false dilemma of privacy versus security.  This is a false dilemma and you have to be aware of.  Thank you.

>> CHRISTINE HOEPERS:  Thank you, Demi.  I will give an update.  Here on the table, the microphones do not move.  The speakers cannot get close.  If anyone is having trouble hearing small devices.  Seth?

>> SETH BOUVIER:  I wanted to say in the beginning that I am like the Dutch and U.K. governments.  I am not here to represent national position, but rather speaking for someone who's been involved in encryption debates from inside for many years.  Obviously if you follow this issue in the U.S., you will know the issue that encryption has flared up several times over the last few years and I think the policy debates at the government level played out rather publicly.  We have law enforcement, public safety officials making their problems known publicly and but we have eye new administration now and they're not putting anything out.  I am here to hear from you and to have this conversation with this group about the issues that are important.  I'm not ‑‑ I don't have much time.  So I'm not going to go over some of the strong interests that Nina and Elinor have put out there.  The U.S. certainly shares those strong interests and strong encryption for the same reasons for cybersecurity for protecting human rights, for protecting our own government information.  We have those things.  I did want to add maybe a couple of issues to the queue for people to think about the conversation about the risks of how to focus on end to end and encrypted platforms being used by terrorist and criminals.  But there's this issue that I think is sort of framed a lot of the 'on (?) in the United States.  You have devices that are encrypted in the lawful position of the fiber or other investigative groups, but they can't get access to it for their own purposes.  Discussing the issues vice encryption would be (?) to hear.  I wanted to raise one other issue.  Not usually part of the discussion, but I think interoperability you have different national approaches to this issue and sort of, you know, I think at the international level, it is worth considering interoperability and how the different approaches might fit together and is there some solution that could work there.  So I'm out of time.  Thanks.

>> CHRISTINE HOEPERS:  Thank you very much.  Thank you for bringing the point of interoperability.  It works now because we have interoperability.  So Christoph, thank you.

>> CHRISTOPH STECK:  Yes.  I hear from people that have been around and for 90 years, we have to give lawful intercept.  We have developed in around the world systems to be able to give access to information in specific cases to authorities to the government.  I understand that now we have separated the service of communication from infrastructure, which is nice and which is good which we all like and support.  We support that our customers encrypt information because basically we are, of course, in favor of the privacy and of the human rights.  At the same time, we understand that it will continue to give access to ‑‑ because we have to because we're obliged to give access in the right circumstances and right of process.  At the same time, we can hand over encrypted information that makes no sense to the authorities.  So that's the issue.  So my question would be:  Is it a public policy issue?  I think it is a public policy.  I don't understand why the values and the decision to have been taking through very important human rights have changed.  I think the values are still the same.  I would rather ask if there's no way of giving ‑‑ if unrecovered encryption which is very specific form of encryption is the way you want to go forward, how can we strike this right balance between these fundamental rights and value decision of taking in the past?  I think that is basically where I see both governments present in the beginning are very close to each other.  Just one government says we believe that we shill have to strive for that even for encrypted information.  The other says I believe we can't strike it because it is unsustainable.  The problem is that the dutch government says we leave encryption as it is, but we still want access to the information.  So they just look for a different way of hack think the device or whatever.  I use hacking as a bad word, but maybe get access to the information in a different way.  If that's safer from a technology point of view, fantastic, but then in the next IGF, in what circumstances can they get access to that information.  In the end, it is a privacy policy debate.  There always has knowledge about the history and this will not change through encryption.

>> I think we are going to open for the floor.  But I think Elinor wants to clarify a point.  So ‑‑

>> ELINOR BUXTON:  I think the government and I have the same expression.  We take ‑‑ we're not trying to undermine ‑‑ the U.K. government is not trying to undermine.  It is looking for Raul that work around that is feasible.  So I think we're probably on the same page as opposed to having a distinct policy decision.  On Riana's point, we think that companies have a responsibility to serving (?).  We think they have responsibility to renovation that users have entered that just as much.  If a company has a lawful warrant and they provide services to our citizens, we expect they should be able to follow through.  We recognize they can't in a lot of circumstances and it is frustrating.  That is just a challenge and what do you do in that sort of circumstance.  It is not involved, you know, forcing someone to weaken or undermine encryption because that isn't within our legal framework.  We're not able to do that.  So I think again I'm just clarifying the process as well.  So our policy acts on new legislation.  That went through.  There were three independent reviews which led to the drafting of that.  That was then scrutinized by three committees.  It went through two houses of parliament and was voted by democratically.  Throughout that process, Civil Society, academia, scientists, other governments could feed in information, technology companies could.  We took extensive calls throughout the process.  So we have tried to strive for a framework which at least people could contribute to and could capture the views of many rather than having a government dictated approach.  I think Nina framed her presentation much better than I did.  I think we're more on the same page than may have come across.

>> CHRISTINE HOEPERS:  Thank you.  There's one question leer and one there and one there.  The three first.

>> JOANNA BRYCEON:  Thank you for the really interesting discussion so far.  My name is Joanna Bryceon.  I am a reader at the University of BATH.  I want to say this is a statement, not a question.  You cannot trust AI if you cannot trust encryption.  Think in particular about driverless trucks and how you're going to stop them if state actors can hack into a driverless truck driving through a city.  On?  We have all seen this in New York.  I am worried how many people here have degree in computer science.  I used to look for negotiated solutions, but I am not an excerpt in encryption.  I am an excerpt from artificial intelligence.  I doubt there is a technical solution to this and I realize that government has had access to communication, but I'm not sure we can still do that.  The world is changing.  So I want to know ‑‑ yes.  Maybe you can go and look at the people themselves and try to get information from them, but I'm not sure there is a technical way to do the two things that you want.  I hope somebody else in the future science degree says something to this meeting.

>> CHRISTINE HOEPERS:  There's a second one there.

>> TED HARDY:  My name is Ted Hardy and I'm a long participant and I wanted to make a clarification that Mr. Abraham made.  He mentioned that governments have developed the IGF related that to development of TLS.  I can clarify that is absolutely not the case.  Governments have no specific role in development of standards and the ITF.  And the ITF has had a very long support for development of cryptography and the deployment of saying going back to RC1984.  That was well chosen and 1996 on the statement on cryptography and technology internet.  It will not develop technology for wear tapping.  Later statement on Internet confidentiality and response to pervasive surveillance saying the internet should move from permitting that to making it the default and RC6624, which is a threat model document which is described.  In essence, the ITF has made a very strong commitment to both the development and (inaudible) solutions and as a participant, I also want to remind you of the Internet's architecture.  And that is while there are telecommunications providers that provide services, that service is the movement of packets from one end to the other.  There are other kinds of application services in the Internet and they can provide peer to peer applications where they can provide communications through a server.  When you have that, which are encrypted, there is no provider to serve such a warrant too.  The only person you can go to and ask fur the clear text is in one end point and the other.  We are making strikes to make it possibility to make things which normally require a server to be able to use end to end encryption and even in conference situations which are multiple party.  I believe that from the architectural perspective, continuing to focus on service providers is fundamental flaw.  Thank you.

>> CHRISTINE HOEPERS:  Thank you very much.  The third one there.

>> And there is a (inaudible) of moving the encryption projects from this control and I would like to get your views on this issue.

>> CHRISTINE HOEPERS:  Thank you very much.  So I will open for anyone that wants to reply and we are going to take questions in three.  So three comments and then three again.  I would just put ‑‑ they could off my hot as moderator and put my hat as one with the computer science, degree and Ph.D.  I wanted to comment that I agree that I don't see a way to have a compromise on this.  So I don't see a way to have a compromise on being able to serve and have strong entry and encryption and being able to have this.  So you always can have a shift.  You can have someone building another app.  I think having the technical views here and having this debate is to understand.  It is important because we need to understand more of the policy issues, but I think we are living in a new world.  Like the general said, we have an architecture that works in a certain way.  I think we need to discuss a lot and deep with the technical community and everything else.  So, ah, I think you want to respond to the comment?  That was raised specifically to him and then Christoph has a comment too.

>> Christoph:  So I'd like to start with the comment that you can only get the decrypted payload if you go to the end point.  If you look at the technical document for it, there is something called a data volt and the encrypted material is kept in the data vault.  So there is tension of the encrypted data going on.  When it comes to government participation at the IGTF, it is not just what the representatives of that particular government say at the mic.  Of course, that has some kind of influence than what the room thinks.  If that government has sufficient resources, that government can fund the participation of several academies and mathematicians that perhaps support their point of view and can interfere with the so‑called mum methodology and where things go.  When it comes to the question about the compromise, then either free software communities or (?) companies implement a particular standard.  They may introduce vulnerabilities and that is not what governments are taking advantage of when they have a legal hacking program.

>> CHRISTINE HOEPERS:  Christoph, you raise your hand.

>> Christoph:  I heard no one on this panel saying there should not be a way (inaudible).  Actually, I don't see this caned of problem which is coming up all the time that you have a balance or compromise.  I think there will be an encryption.  People have a right to use it.  The only thing I said and I think many people said you're in the panel and encryption is a very nice tool to help about privacy, but it is not November to give you privacy.  It is also in the in to have with the overall question of when can a government have access to certain information or not?  I think what is currently developing is that encryption will happen anyway, and it is good by the way and necessary for the future words go for.  The only question and maybe I wasn't clear enough is I am not sure and I don't know enough about that.  If that's a better way or worse way from a technology points of view.  It is giving legal hacking from devices.  It is a solution.  Is that a better way from a technology point of view or is there a (?).  I think that's the debate.  It's not that we debate if it will happen more often.  It will help anyway.  Anyone else from the panel wants to comments something?  I'd like to (inaudible) on the work control question.  It is being removed and we would like to go a little bit beyond that and I'm going for more commitment on transparency and commitment for human right to be included.  We have seen positive movement from the parliament.  We will look closely to get this.

>> We had one hand.  Only encrypt have its benefits, but also it comes with new risks.  For example, on the internet encryption software, free software widely possible believe have ‑‑ such openly available software to be ‑‑ could it be a new tool to extract privacy person at dalla from the users.  Also we have the benefits of protecting human rights and policy and showing property rights.  The need to and crimes and lines, et cetera.  From the technical point of view, all encrypted data can be decrypted depending on the computer speed up of the computers.  And as the tradition way of encryption is concerned, but also we have to consider that ‑‑ new method of encryption.  For example, there is unavailable material.  When someone was hacking the message, the data would be encrypted immediately.  How many are we away from such wide introduction you in technology.  How did the local security agencies work and attach with such problems in the future?

>> CHRISTINE HOEPERS:  Thank you.  Please.

>> Thank you very much.  (inaudible) from global the human rights counsel resolution, the information protection and human rights was mentioned on the channel.  I heard that with great interests because GPD we see there's a clear need on this issue.  Clearly there are different approaches at the national level to both violence.  So guidance is needed, it's important and we believe that guidance should be recommend rights respecting.  So I would be hearing.  If there is support and coming up in June of the human rights counsel, which recognizes the important role of that encryption place as an incredibly.  And so use this community to move forward international building to prove aggressively on these issues.

>> Thanks.  I am speaking entirely in a personal capacity here.  Thank you to the panel.  It was really useful to get into the detail, which you did.  That's the bench fit of these kind of meetings.  I do sometimes get slightly policies and being professor of red cross ‑‑ again, because it means we don't have the time get into the nuances which is where the important questions actually come up.  I think Riana made a really good point yesterday related to the point that was also made by the gentleman of Telefonica.  We don't have 20 years of experience and evidence to go on.  I agree very much with Myiana.  You need to pay attention and think through the risks that enables.  I think (?) applied well on the IGF point.  I also spent a lot of time consuming for the U.S. government.  We learned so were about so many of the ways that governments have been informally dealing with these issues.  The note in disclosure.  The question I'm interested in although I'm really sorry I want to raise it and I have to run off to another session yet.  There's bench a large scale analytics of data revealed.  I am interested by the U.S. panelists how you're section.  The reform is happening right now.  If you expect that to be any significant changes.  Thank you.

>> Thank you.  I know there was a question specifically for the U.S.  Elinor and then probably Seth.

>> Elinor:  There was a solution last year that Germany and Brazil sponsored the text of that emphasizing in a technical executions to thrive and kept.  So in a sense, there is already norm setting going on in this capacity and I assume it is similar resolution that will come back around in the next session coming up in March.  And so I expect that encryption is not going away as originally issued in which people want to have international guidance.  Some were of international forms.  And we adopted that legislation.  I think technical feasibility will raise questions.  People have raised points around the implementation of standards and I think, you know, at the end of the day, we've not complete individuals.  We have an awful lot of very, very clever people working on these issues.  We have GCH3 has expertise in it.  We wouldn't be pursuing lines we didn't think were possible because as much as possible and policy makers without specific degrees.  Those all go through highly technical people on the way up.  We would not propose and imagine ‑‑ I was saying to Ian earlier.  None of this makes good round bites.  That's the real challenge with all of this is that political statements are really challenging.  People that understand or saying things in one sentence is not we can capture ‑‑ is not something we can capture.  A lot ever them will have and do the requisite expertise.  But I also am inviting on solution making.

>> CHRISTINE HOEPERS:  Seth, there was a question for you.  

>> SETH BOUVIER:  I wasn't expecting a 7:02 question.  What I have heard is there is some expectation that the 202 one will get done in terms of specific.  The question is:  I don't know, I have an seen the language specifically.  I hope that gives you some sense.  I do proceed.  Since I have the mic.  And I happen to (?) for you, since I have the mic, I guess I would like to sort of put a question out there for everyone to consider since you heard from the panelists, just take a step back.  I think the question I would like to see some engagement around the general public wants to see in terms ‑‑ what are their encryption.  I don't think there's any sense people who want.  What are the desires?  Is it all or nothing?  I think I hear a lot from people they don't want their photos on get wiped off their phone.  But also there's a trend ransom ware where you have actors going in and encrypting the data.  So I think where are the debate ‑‑ where there should be more debate is around your question?  What are the factors driving through public interests and see said sees.  We have Nina that wanted to ‑‑

>> I wanted to react to two different ways.  One is the discussion that we're having from a policy respective to focus on the service providers.  We do think that it is necessary to stay in touch with the serves providers.  Everyone thinks it, but the data is always needing the content to be able to effectively investigate and prosecute.  So that's a question you should remain in dialogue with her there was also the questions part ever the software will remain vulnerable.  We are handling.  We will make mistakes with that and this is a way, this will remain a way to get into the data.  The discussion can be exert you use existing vulnerabilities or existing.  The new will have it.  Definitely a another policy discussion relates to that.  But it is a different way, but it is ‑‑ yeah.  Discussion that you have two access the data and work around encryption day.

>> Mr. (inaudible) wanted us to replay.  I wanted to ask professor begins around data and analytics.  I think the dutch government may be taking the leadership here.  I don't know for sure, but I read the report by professor Dennis Pruder is a big data there is the approach that calls the core fines and they will not go into the specific database.  I am reading from the documentation.  Let's not really go.  So everyone wants to talk now and there are a lot of questions.  So what I will do is take the last questions.  I see one here and I see one here.  But sometime is short.  I think this could have been a big session.  While almost everyone wants to talk and we can have a wrap up and answer both questions here.

>> Hello.  My name is Moren.  I am a cryptography at federal human rights of ICANN and I don't think anyone doing have table governments going forward.  We have stakeholders and increase the surveillance.  But I don't think there.  This is quite frightening to me.  I do not have a stable gust, I am Brazilian.  So you seem to be sure that is the best way to be done as well, one more from now, I will not be hunting terrorist.  But maybe I will be hunting for not a terrorist, but here depending this exact position, we cannot endorse some divide that seemly easy investigation (?) and privacy is follow to exercising our freedom because creating a way for governments and even if it's usually the excess, we'll only be done through an independent made it is weakening encryption.  You cannot have strong cryptography and has a ‑‑ if it has a flaw by design.  Do you see any way of doing this without opening a way to governments to all users data.  I don't think mass surveillance, but simply creating the possibility of future master attention.  For people like me who come from countries history, full of dictatorships, that's bad enough.  Thank you.

>> I think we're being quite cynical about it.  Basically on one side we're seeing that with a record encryption, governments cannot and will not have access to the communications and that technically, it is impossible and we should not try to prevent it.  But on the of the side we have applications, our global fins to company.  We might be discussing on the privacy how much information we're willing to share with the company and on to get information of where we are, what do we do and what are the contents that we have access to and we are saying that we are not allowing legally elected governments that they can have access to the communication that it is provided bay the laws that have been approved by all citizens in legally democratic processes.  This is quite cynical.  I don't see why do we have the different approach?  On one side, weaver not allowing governments that have elected to defend security of the nations, but we're allowing companies to have access to other personal data.  So maybe the solution is not providing seas and keep the communications.  Maybe this solution is to have governments to access the enhances at the end of the devices as the sumps are doing.

>> CHRISTINE HOEPERS:  Thank you.  Is that a question or comment?

>> I would like to hear some thoughts from the representatives of government.  If you can share some stats, numbers and people is how much they use easy is to metadata for solving and prosecuting and significant crimes.  And how much is not useful to only have access to metadata and then go strictly to the content of the communications to solve in the crimes.  I am following the reasoning that was made by the Professor Iyen, trying to point out come out with evidence trying to use on trapped data for policy.

>> CHRISTINE HOEPERS:  So I went to ask the panel if you can make like a compromise of people trying to keep one minute or so and we can give a chance to everyone to do some closing thoughts here.  I don't know where we can start.  But so everyone will have a chance to speak now or to answer.  The quicker we start so can we go ‑‑ so, Monica, you can start and then we'll go. 

>> Monica Guise Rosina:  I think ‑‑ I don't think we'll be able to solve in the near future.  Just from a company perspective.  I think while I would like to make the disclaimer that I am not a less employee, I am a Facebook employee, what's up is part of that Facebook group of companies.  And the one challenge we face ‑‑ so, I'm not going to start over, but I just would like to state that the one challenge that we're currently facing is in order to strike the balance, Facebook has a company that is willing to compromise and provide as much access to the data that is technically usable to provide and we talk about metadata and learning encryption if it's a lawful process, if it's a quarter court, we are willing to comply and our groups of families are really to comply.  When we are enable to comply with these orders such as wire banning requests for content that's end to end encrypted.  Statin content that's end to end encrypted.  So our executives are being involved.  We're facing whichever there fevering will technical enact to provide content to encrypted services.  But apart from that, everything else that we collect was publicly recognized by the gentleman and that can be used to help law enforcement keep us safe and we en(?) and willing to operate.

>> We have a lot of tools in the infiltration and the system.  Sometimes it is ripped another tool.  In Brazilian decisions ‑‑ in many cases, the application was not delivered making it impossible to started investigation of series of crimes such as the public forward or actions of organization is.  Brazil as Muriano said you are not to worry about terrorists.  But we have serious crimes.  They encrypted that to some imagines.  We have another tool to investigate.

>> I wanted to add for the person I agree with, I have an art in the government now.  This is based on very, very specialized people.  So I would like just to calm down besides the government we are trying and we are being stable.  Thank you.

>> Thank you.  Thank you for raising the point on the commercial using collection of data.  Even though it was not specifically accessed within this panel, this is part of the issue as well.  We are certainly on our side pushing for strong amazing back practices in order to reduce this not only for surveillance and intelligence, but just for the fact that I'd like to pushback on the point that people are willingly giving away data.  There is a great deal that is being collected without our knowledge or consent that goes beyond providing services.  We also need to look into more of the commercial use of data and put some strict countries around which data.  At the moment, the real rite is that companies are overexpecting data and are turning way too longer. 

>> Just some closing thoughts in no particular order.  So I shouldn't ‑‑ maybe I founded a bit down on the companies.  They are very good to know and they have respected us several.  So thank you.  It is technically impossible I knowledge ‑‑ I think all ministries would consider responsibility.  Because their job is being accountable for keeping that safe and matters why it is part of this endless conversation.  That is why it continues ‑‑ saying that, companies have been exceptionally fitting.  Different sometime would be ‑‑ there are specific and defined limits to what we ask and we want the access to communications of individuals who are actually under suspicion.  That is not always the case and there my be let's go to serves of why people want information and want to relationship it.  Again ‑‑ okay.  That would never be our policy, but I think, you know, we do face challenges in trying to justify why we should be able to do that.  The discussions like this are really, really useful. 

And finally the commercial data, it's funny.  People said but going, we have access to all these things.  And I asked about concept and that you're returning some machine is down to reach.  How do you improve and then I will just add like I said at the beginning, we are key their isn't an absolute right to privacy in the U.K. as Nina outlined.  You can interfere with those rights when it is proportion and unnecessary and that is where we are trying to go any any further of rounds of international. 

>> We have another session starting in five minutes.  So I'm kind of just here.

>> I think there were some really good questions.  They saw he difficult it is because they show dent perspectives and households.  That is really new to me and it would have went that weighing things fully and completely.  It is not so much to be able to strike the balance.  It is for citizens to protect themselves and having a dialogue with providers are different providers they went on working around it.  Thanks for your ‑‑

>> I'll be quick.  Regarding going to join the government.  We really need to understand to world the code whereas you can believe in whatever laws you let's historically, you need to adapt and change.  We can keep going in circles.  But the third access is done.  So let's discuss how to move forward and what restrictions there should be on these new work arounds.  Thanks.

>> Thank you also.  We had very good questions from the floor and it was very, very exciting to be here.

I really don't believe in circumventing things via some kind of technology like back doors or something like that.  Of course anything that can be made or would be made in technology, but they cannot read our minds until now at least.  And thank you again.

>> Hi.  Thanks, everyone.  I want to make one quick point in response to the comment here.  I'm not just from the U.S. perspective, I am not hearing a call for back doors or access.  I agree how the actions with strong rule of law would be taken up by countries with weak rule law and how we explain the difference between them.  I think that's a critical issue.

>> I think I would agree and I think it's right.  The genie is out of the bottle.  That's what I want to say.  I think the good news is this is going to happen.  The bad news is that the underlying problem is going to continue that you have to put, you know, in a balance way whatever we've going to use, the different rights in question.  And just a final thought, not to frustrate you, but maybe for the first debate.  The last 20 years or even longer, telecommunication provider have fought heavily to not give direct access to governments.  They have systems installed and have a nice feature of checks and balances in the sense that governments can ask us, but we have a chance to check on the formal way it was done and so on.  We can have address mechanisms and so on and so forth.  That was a check where they gave a formal way of getting through a balanced approach.  When we go to legal hacking, this is the fantastic access.  They put this piece of software on your mobile phone and they have direct access.  That's the fact.  I don't want to frustrating, but strong encryption will lose us to a different battle which is a multi‑hacking of the devices.

>> Thank you very much, everyone.  We don't have time for any more questions.  The audience raised questions that we didn't have time to raise like data protection and all about protecting keys, but I would love to (?).

>> With very qualified panel, and the audience.  As a core organizer, I am happy with it and I look forward to take a very detailed reading of the transcripts because there are so many interesting ideas, questions and positions.  We have to go through those.  Thank you very much.

[APPLAUSE]

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 411