Policy Report | February 15, 2018

EWI Advocates for Balanced Encryption Policy

Report Recommends Approaches to Meet Needs of Law Enforcement While Managing Risks to Cybersecurity and Privacy

The EastWest Institute (EWI) today released recommendations on encryption policy designed to help find a balance between the legitimate needs of law enforcement and strong protections for digital information.

The report: Encryption Policy in Democratic Regimes: Finding Convergent Paths and Balanced Solutions, provides nine normative recommendations on encryption policy to ensure strong cybersecurity while enabling lawful law enforcement access to the plaintext of encrypted information in limited circumstances.

“Encryption provides great benefits and presents challenges, but most stakeholders share common interests in safety and security,” said Bruce McConnell, EWI Global Vice President who oversees the institute’s Global Cooperation in Cyberspace Initiative and led the development of the report. “The challenge is how to reach a policy consensus. This report sets out two balanced proposals that acknowledge encryption’s dual nature and that may be adapted, and adopted, by democratic governments.”

The report reflects the contributions of international experts, led by the EWI Encryption Breakthrough Group. The report was authored by Andreas Kuehn and Bruce McConnell, with the participation of a wide range of industry stakeholders, technologists, privacy advocates, law enforcement officials and other experts from organizations in the United States, Europe, and India, including Europol, the European Union Agency for Network and Information Security, the Federal Bureau of Investigation, Microsoft, the Berkeley Center for Law and Technology, the Cyber Threat Alliance, the Berkman Klein Center for Internet & Society at Harvard University, and the University of Luxembourg.

Click here for the executive summary.

Click here for the full report.

The report proposes two balanced, risk-informed regimes—“Lawful Hacking” and “Design Mandates”—which are designed to enable legally authorized law enforcement access to the plaintext of encrypted data in limited cases. Such access would occur within a clear legal framework embedded with human rights safeguards, while mitigating the risk that third parties could gain unauthorized access to encrypted data and communications. The two regimes were formulated to highlight a key policy choice: enhancing law enforcement’s ability to access data without provider assistance, and requiring companies to design their systems to anticipate requests for lawful access.

“Balancing multiple interests require difficult trade-offs, demanding a collective effort that takes into account the perspectives, needs and interests of different stakeholders. Encryption Policy in Democratic Regimes presents a highly constructive step in rationalizing the encryption debate, and providing potential courses of action for policymakers,” remarked Udo Helmbrecht, Executive Director of the European Union Agency for Network and Information Security (ENISA).

The report will be formally launched at a panel of the 2018 Munich Security Conference on February 16. EWI will promote the report’s recommendations across capitals and corporate headquarters globally.  

“Arguments are frequently made that safeguarding information privacy and security are irreconcilable challenges, but they can be complementary,” commented J. Michael Daniel, President and CEO at Cyber Threat Alliance. “The more that fresh policy options are debated by stakeholders, the better. This report, driven by a range of high-level experts from multiple sides of the debate, is a big step in the right direction.”