Encryption Technologies Encryption is an important technical solution that all Internet users should use to protect their communications and data. Introduction Encryption technologies enable Internet users, including individuals, governments, businesses, and other communities, to keep their data and communications confidential. Encryption is a technical building block for establishing and maintaining trusted networks, applications and services on the Internet: It supports freedom of expression, commerce, privacy, and user trust, and It helps protect data from unauthorized actors. However, because bad actors can also use encryption, government security agencies and law enforcement have expressed concern that encryption technologies could hinder their ability to protect citizens and enforce the law. As a result, there have been calls for and attempts to limit the use and strength of encryption. The Internet Society believes that encryption should be the norm for Internet traffic and data storage. We recognize the concerns of law enforcement, but believe that encryption is an important technical solution that all Internet users should use to protect their communications and data. We believe that attempts to limit the use and strength of encryption will negatively impact the security of law-abiding citizens.

What is encryption? Electronic encryption is the process of scrambling or enciphering data so it can be read only by someone with the means to return it to its original state. It is used: To protect both data stored on a computer system and data transmitted via computer networks, including the Internet, resulting in Increased security for financial transactions, protected private communications of end users, and much more. Definition: Encryption is the process of converting data into another form which cannot be easily understood by anyone except authorized parties. The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Modern encryption algorithms, or procedures for performing encryption on data, play a vital role in upholding cybersecurity. They offers assurances that valuable information is “for your eyes only”. Encryption ensures that credit card numbers, for instance, are seen only by those persons or systems with a need to know this information, and it aids freedom of expression and helps uphold privacy by preventing bad actors from eavesdropping on private communications.

Key Considerations In practice, encryption takes the following forms: Symmetric encryption uses an identical key to encrypt and decrypt a message. Asymmetric encryption uses a pair of public and private keys to encrypt and decrypt a message. End-to-end encryption is where only the sender and intended recipient can read a message. Data-at-rest encryption protects data physically stored in a digital form. Common types of encryption: There are four common forms of encrypting data: Symmetric encryption Uses an identical key to encrypt and decrypt the message. Both the sender and the receiver have access to the same key. It is fast and efficient for computers, but if the key falls into the wrong hands, security is compromised. Asymmetric encryption Keys come in pairs, and information encrypted with the public key can only be decrypted with the corresponding private key. The recipient publicly publishes a key for the sender to encrypt their data. The recipient then uses a private key to decrypt the data. It is similar to a locked mailbox in which mail can be pushed through a slot for delivery, but retrieved only by the owner with a key. Public key encryption is more secure than symmetric encryption because the key does not need to be transferred. End-to-end encryption Only the sender and receiver can read the message. Examples of end-to-end encryption include the protocols Pretty Good Privacy (PGP) and Off-the-Record Messaging (OTR). Examples of end-to-end encryption communication services include Apple iMessage ,Telegram, and Threema. Data-at-rest encryption Data physically stored in a digital form, i.e. on computers, storage disks, mobile devices, Internet of Things In practice, encryption is applied in a layered approach. For example, a user encrypts his or her email using PGP or Secure/Multipurpose Internet Mail Extensions (S/MIME), and the email provider (i.e. Gmail) encrypts the transmission of the email using HTTPS. It is important to note that encryption does not necessarily render all communications data unreadable. For example, communications metadata—including sender and recipient identifiers, message length, location, date and time, and data used for law enforcement—can be exposed in clear text.

Challenges The widespread availability of encryption, as well as its versatile nature and use by different actors, presents a number of challenges for: Freedom of speech, anonymity, and abuse, The security–privacy conundrum, Encryption backdoors, and Tamper-resistant technology. Challenges: The widespread availability of encryption, as well as its versatile nature and use by different actors, presents a number of challenges for: Freedom of speech, anonymity, and abuse Encryption technologies facilitate anonymous communication, a potential lifeline for citizens and activists, and individuals in vulnerable communities. Encryption technologies, however, can help bad actors hide activities and communications. Regulating technology in order to hinder criminals from communicating confidentially runs the risk of making it impossible for law-abiding citizens to protect their data and putting their rights in jeopardy. The overall objective of security should be to foster confidence in the Internet and to ensure the continued success of the Internet as a driver for economic & social growth. The security–privacy conundrum We need a balance between security and privacy. User trust stems from a sense of both privacy and security. There is a legitimate need for governments to protect their citizens HOWEVER citizens are also entitled to privacy from government, commercial, and criminal intrusions. EXAMPLE: Trust that a message is confidential (it will only be read by its intended recipient) helps a variety of Internet services, most notably e-commerce, to flourish. Encryption backdoors This refers to the idea of a ‘master key’ or tool that can help an authorized third party gain access to and decrypt encrypted data without access to keys. The technical community believes that introducing backdoors puts legitimate users at risk and is unlikely to prevent criminals from communicating clandestinely. Bad actors will likely find alternative means of communicating, while average users may not have the same tools. This could leave criminal communications immune from observation and leave user communications vulnerable to observation and interception by governments or bad actors, who have discovered how to exploit the backdoors. Tamper-resistant technology Tamper-resistant technology is designed to make it difficult for attackers to modify technology, and to make any tampering attempts evident. Used in conjunction with encryption, anti-tampering measures can help prevent: entry to a device after repeated login attempts; and the installation of encryption backdoors, rootkits (malicious code designed to access different areas of a computer without authorization), and other malicious software. In recent years, there has been a trend towards greater use of tamper-resistant technology and mechanisms that automatically erase data under certain conditions (i.e. after 10 failed attempts to correctly enter a password). However, tamper-resistant technology may make it more difficult for law enforcement attempting to gain access to the communications and data of bad actors pursuant to a judicial order.

Guiding Principles 1 Confidentiality and anonymity Data security Trust Encryption Tamper-resistant technology Increased deployment of security measures Multistakeholder solutions 2 3 4 5 Guiding principles for an encryption policy debates: The Internet Society offers the following guiding policy principles: Confidentiality and anonymity Individuals should be able to communicate confidentially and anonymously on the Internet. This supports the unhindered expression of human rights, including privacy and freedom of expression. Data security Individuals should have the right to use encryption and other tools to protect their data, digital assets, and online activities. After all, individuals have the right to protect their offline assets and property. Trust User trust is critical to the Internet’s continued growth and evolution. Reliable mechanisms for authentication, data confidentiality, and data integrity are vital technical building blocks for trusted products and services. Legal frameworks should support individuals’ human rights, including the right to privacy. Encryption Encryption should be the norm for all Internet traffic. Designers and developers of digital products and services are encouraged to ensure that users’ data, whether stored or communicated, is encrypted by default. Where possible, end-to-end encryption solutions should be made available. Network and service operators are encouraged to deploy encryption where it is not yet deployed, and firewall policy administrators are urged to permit encrypted traffic. Tamper-resistant technology Tamper-resistant technology should continue to be developed and implemented in support of encryption. Governments should not mandate the design of vulnerabilities into tools technologies or services. Likewise, governments should not require that tools, technologies, or services be designed or developed to allow third-party access to the content of encrypted data. Governments should also support the work of security researchers and others in identifying and responsibly disclosing security and privacy vulnerabilities in technology. Deployment Increased deployment of security mechanisms (i.e. encryption) will result in challenges in network management design, development, management, and usability. Network management, intrusion detection, and spam prevention will face new functional requirements. We should expect new economic and policy challenges. Multistakeholder solutions Criminals can communicate confidentially and anonymously. Successfully confronting this issue requires the concerted action of multiple stakeholders. 6 7

Download the Briefing Paper. Thank you: Encryption technologies allow you to securely protect data that you don't want anyone else to have access to. Businesses use encryption to protect corporate secrets, governments use encryption to secure classified information, and individuals use it to protect personal information like credit card numbers, tax information, and emails. Encryption does not involve a trade-off between security and privacy. It involves a trade-off between more security and less security. Strong encryption practices help protect law abiding citizens’ communications and data. It also supports online commerce, builds user trust and supports human rights such as privacy and freedom of expression. Limiting encryption will not prevent bad actors from hiding their activities, and it will negatively impact the security of law abiding citizens. Legal and technical attempts to limit the use of encryption by individuals will negatively impact the security of all law-abiding citizens. Strong encryption means unbreakable encryption. Any weakness in encryption will be exploited — by hackers, by criminals and by governments. This means that if the police can eavesdrop on your conversations or get into your electronic devices without your consent, so too can criminals.