The Assault on Encryption, and Why It’s Bad for your Business

Everyone who uses the Internet – whether individual users, businesses, or states – depends on encryption. It allows us to communicate privately and securely, makes basic functions like e-commerce and banking possible, and facilitates the exercise of a range of human rights – notably the right to privacy and the right to freedom of expression. It also undergirds national security: in the absence of encryption, a range of critical infrastructure and state activities would be more vulnerable to hacking and interference.

Despite this, most countries around the world already place restrictions on encryption-related technologies – a discouraging reality captured in our interactive world map of encryption, which dynamically tracks, studies and analyses legal and policy approaches to encryption globally.

And in 2021, some states are pushing for still greater restrictions. At the time of writing, a range of states and entities around the world – including the UK, EU, India, Brazil, Australia, and the US – are considering major legislative interventions around encryption. While the contours of these approaches are unconfirmed, the broader mood music suggests that “backdoors” and “technical solutions” enabling law enforcement to break encryption are very much on the table (see the recent Five Eyes statement, spearheaded by the UK’s Home Office, and last year’s leaked European Commission report on encryption).

The introduction of “backdoors” into encryption, in particular, would be disastrous both for human rights and public safety, as highlighted in a recent open letter by the Global Encryption Coalition. Every user of the Internet has a stake in resisting it for this reason. But increased restrictions on encryption will also be specifically disastrous for the wider Internet industry in a way that is perhaps less widely covered and understood. What might a typical business expect, if the UK or EU decides to mandate technical solutions for access?

●      Increased compliance costs. More legal and policy restrictions on encryption means the operations of your business become more complex. If your business operates globally, you might have to build apps or software which function differently depending on the territory. Instead of focusing on improving customer experience, your business may have to sink time and resources into complex jurisdictional questions, compliance with state access requests – and possibly legal challenges, if complying with these requests puts you in contention with human rights law. Strong encryption also makes compliance with data protection frameworks (like the EU’s GDPR) easier.

●      Reputational risks. As the recent exodus of WhatsApp users to Signal demonstrates, users are increasingly conscious of how their data is processed and secured, and will reward businesses seen to protect it. How will they feel about your brand if it emerges that you’ve handed it over to law enforcement?

●      Increased risks of security breaches and data theft. When encryption is undermined or weakened, everyone’s security suffers – including the security of your business. If “backdoors” and other “technical solutions” become normalized, you may face an elevated risk of data breaches; and wide-ranging cyber-attacks (like the recent SolarWinds hack, named after a software company which was compromised) might become even more common.

Amid this uncertainty, what can businesses do now?

First, ensure your current encryption set-up is best in class. Embedding end-to-end encryption across your products is just the starting point; your business should also implement strong, holistic data protection and privacy policies, which are transparent and provide clear opportunities for remedy in case of breaches.

By both employing end-to-end encryption in their services and developing strong data protection and privacy policies, businesses mark themselves out as responsible. They also send an important message to governments considering legislative responses to encryption, and express solidarity with the many stakeholder groups for whom strong encryption can be a matter of life or death: journalists, human rights defenders, and marginalized communities, including LGBT+ people.

Second, be proactive in involving your business in the encryption debate. The Global Encryption Coalition is one example of a multi-stakeholder grouping seeking to promote strong encryption globally – alongside leading civil society organizations, it includes many businesses operating in the digital industry, who recognize the clear-cut case for safeguarding the encryption we all depend on. You can also seek out industry coalitions and networks, both nationally and regionally: Encryption Europe is one example. The costs of inaction – political, social, and economic – may prove very high.

Sheetal currently provides strategic oversight for GPD’s global cybersecurity capacity building programme, which supports civil society organisations across the global South in protecting and promoting human rights in cybersecurity and cybercrime related discussions. She also facilitates civil society engagement in key relevant forums, including the UN, through research, facilitation and coordination support.