Encryption laws in different countries: where are we heading?

Encryption has become one of the key features of contemporary digital society. It guarantees us the right to freedom of speech and secures our sensitive information. Governments around the world introduce new laws and regulations every year. It’s crucial for tech companies to keep up with these changes.

Current debates on encryption

While encryption secures our personal information, it can also be a tool for wrongdoing. With the rising wave of terrorism, the authorities are concerned that criminals will use encryption to hide their activities, making it hard for the police to conduct investigations. That’s why, for the last couple of years, countries such as the UK, Australia, the US, and the Netherlands, have been trying to tighten the laws of encryption.

In 2019, American, British, and Australian authorities published an open letter to Mark Zuckerberg, pressuring him to create a backdoor into the encrypted messaging services owned by Facebook. Western officials have been demanding access to the content on Telegram as well. Since no state policies have been issued, the tech companies refuse to do that, arguing that encryption does more good than harm.

Everybody agrees that companies around the world have to use encryption to protect the personal information of their customers. If you buy something on Amazon, it is obliged to secure that transaction. Failing to guarantee security can lead to fines as high as millions of dollars.

Cryptography debates in the last few decades went through several stages:

1. Before the 90s, governments exercised strict control over the use of cryptography. Of course, these were different times with different issues, and cryptography was rarely used.
2. In the 90s, national governments tried to establish full control over emerging encryption technologies. The longest key size the US allowed for internal use and export was 40-bit. Companies frequently complained that weak encryption methods limited their financial performance. Finally, the growing market of e-commerce forced authorities to loosen their grip on cryptography technologies.
3. In 2000-2010, government agencies around the world exploited unencrypted data and system insecurities rather than investing in cybersecurity.
4. The current stage features debates about encryption backdoors.

Let’s explore the current state of encryption laws in different countries.

European Union: between the hammer and the anvil

The European Commission's 2017 cybersecurity strategy regards encryption as an important tool to protect personal data and human rights.

However, the European Union has been under pressure from some member states to change the current policies on encryption. The UK, France, and Germany have been among the loudest voices within the EU asking for a backdoor. While they support encryption in services such as banking, communications, and commerce, they also want to have access to encrypted information when needed. The debates arose after the terrorist attacks in Belgium and France in 2014.

Furthermore, after leaving the EU, Britain is likely to adopt new policies on encryption soon.

Investing in decryption technologies

So far, the European Commission has not come up with any legislation against encryption. However, its anti-terrorism package focuses on investing in decryption technologies and providing additional funding for national training programs. Rather than letting national governments control encryption technologies, the EU does things the other way around.

In 2019, a new term started in the European Parliament. Encryption will definitely remain one of the hottest topics, with a lot of things depending on the political situation and public security issues. Human rights and freedom of speech are among the core values of the EU — nobody wants to step on those fundamentals.

Australia: first nation to create a backdoor to encryption

In 2018, Australia became the least attractive destination for digital businesses overnight. It was the first Western nation to pass a bill obligating companies to hand over encrypted data upon request. Organizations and individuals refusing to obey the new regulations face fines up to $7.2 million and imprisonment.

The bill has received wide criticism as it applies to both local and international companies, including Facebook and Google. Tech companies say there is no way to open a backdoor for government surveillance without undermining security for everyone.

The authorities vs tech companies

Australia’s officials claim that the bill will help fight organized crime and that security agencies will need warrants to access encrypted information. However, tech companies say that a backdoor will create more problems as it will eventually be discovered and abused by wrongdoers.

Some companies have already warned the Australian government that they will store data in other countries.

China’s new law

China has a long history of internet censorship and VPN restrictions. It is estimated that around 10,000 domains are banned by the Chinese authorities, including Google, Facebook, Twitter, Netflix, and Wikipedia. So far, the government has banned everything it couldn’t control.

A new Encryption Law took effect in 2020. It recognizes 3 different types of cryptography: core, common, and commercial. Core and common cryptography is used to protect the state secrets of Chinese government, while commercial cryptography is used to protect the information of citizens and businesses.

Mandatory certification

More importantly, the new law also states that it welcomes foreign providers of cryptography services. But is that really the case?

While this might look like an appealing opportunity for encryption businesses, there are certain limits. According to the Chinese authorities, the commercial use of encryption cannot harm the state or public security. Any infractions would be punished. Furthermore, encryption technologies must be handed over to the government for certification.

As stated in the law, “commercial cryptography products that involve issues including national security, national economy, and the people’s livelihood or the societal public interest should be included into the special product catalogs and can only be sold or provided after passing testing and certification by qualified bodies.” This opens the door for inspection and control.

China is inviting companies to operate in the country, but only if they let it access their systems. All encrypted information may now be intercepted by the Chinese government citing ‘national security’.

Canada: under pressure from allies

Canada is part of the Five Eyes security alliance, together with the US, UK, New Zealand, and Australia. These countries exchange intelligence and discuss cybersecurity policies. While all members have their own encryption laws, they have been moving in the same direction for the last couple of years.

In 1998, Canada introduced the freedom to use and develop cryptography products, a move welcomed by the Human Rights Watch. The government’s policy was that there would be no mandatory recovery key requirements. This was quite reasonable, given the state of cybersecurity at the time.

The times have changed. The other states of the Five Eyes have been pushing Canada to adopt new regulations for some time now. The tech companies in the country are not required by law to provide decryption services — they don’t keep the keys to a backdoor. But while the authorities most likely won’t ask companies to hold decryption keys, they will probably require decrypting certain information.

Crypto wars in the US

The US has always been at the forefront of encryption control: over the years, the authorities have tried to implement many regulations that mostly failed due to evolving technologies and the pressure of public opinion.

End-to-end encryption services bloomed in 2014, after Edward Snowden released secret information on government surveillance. Tech giants like Facebook and Apple increased their use of encryption technologies for security and privacy.

In 2015-2016, Apple received and appealed 11 court orders to extract information from its devices. The most famous case took place in February 2016, when the FBI wanted to unlock an iPhone from a terrorist attack in San Bernardino, California. A CBS News poll of more than 1000 Americans found that 50% of them supported the FBI and 45% supported Apple. Major tech companies such as Microsoft, Google, Amazon, Yahoo, Twitter, and LinkedIn criticized the court order.

The US is made up of 50 different legal entities with different laws. A couple of years ago the lawmakers in California and New York tried to introduce new legislation that would oblige manufacturers to decrypt any smartphone sold in the state if necessary. However, the bills failed to pass.

The CLOUD Act — a new step in cryptography debates

In 2018, the US introduced the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). The CLOUD Act clarified the circumstances under which electronic communications service providers have to disclose data, whether it’s stored in the US or abroad. This let the FBI access information they couldn’t get before.

While many criticized the Act for violating freedom, companies like Microsoft said that it will make the whole data extraction process more transparent.

Freedom to choose in Russia

Russia heavily regulates the internet and technologies. According to the local laws, all users of messaging apps have to be identified, VPNs are banned, and you can be prosecuted for liking or sharing information critical of the regime.

In July 2020, a new law will come into force, requiring all smartphones, tablets, and computers to have Russian software pre-installed. While the local authorities argue that the law will provide freedom to choose between Western and the Russian applications, critics say the software might be used to spy on citizens. The new law might not appeal to some tech companies, forcing them to withdraw their business from Russia.

Ironically, such heavy-handed regulations can backfire. The Telegram messenger was officially banned in Russia in 2018 after refusing to hand its encryption keys to the authorities. However, this didn’t work out as planned. Telegram still provides its services and is widely used by groups opposing the Kremlin.

The UK: a new treaty with the US

The UK was always one of the harshest critics of end-to-end encryption in the European Union. For example, the UK’s spy agency GCHQ once proposed to create a ‘Ghost protocol’ for monitoring encrypted messages, only relenting after public criticism.

The new US-UK treaty signed in 2019 could force tech companies like Facebook to hand over their user data. The law will let the UK authorities to directly ask tech companies for information needed for investigations. It will speed things up, as UK police won’t need to ask for the information through US government agencies. The same goes to the US, if they want to extract information from companies in the UK.

Developing countries

While we talk about encryption laws, regulations and cybersecurity, there are developing countries that don’t have any discussions on encryption. For example, let’s look at Myanmar: its citizens lack basic information about security on the internet.

Things like encryption are unknown to most of the people. Many don’t even understand the need for a strong password. If the local authorities suspect that you committed a crime, they can just force you to unlock the phone and log in to your apps without a warrant. People occasionally get hacked, as both the government and the country’s citizens rarely use encryption technologies.

With a rapidly growing economy, sooner or later Myanmar will have to face its digital challenges. But due to its numerous reported human right violations, Myanmar’s future encryption laws most likely won’t favor regular users.

Conclusion

The encryption debate is still going strong. It is clear that the authorities are looking for more control — they want to read your messages, view your contacts, and keep an eye on things. There is a thin line between the right to privacy and the measures to stop cybercrime.

Tech companies don’t want surveillance agencies hanging around their back door, but they are increasingly forced to compromise.