The Encryption Summit: all the news and updates as they happen
As our lives become more digitized, online privacy concerns have entered mainstream. Once the preserve of businesses and cybersecurity geeks, usage of privacy-preserving software like VPN services and secure messaging apps is now the norm among citizens around the world.
With over 300 global members, the GEC promotes and defends encryption while supporting efforts by companies to offer encrypted services to their users. Its Steering Committee includes the Internet Society, Mozilla, the Internet Freedom Foundation, Global Partners Digital, and the Centre for Democracy and Technology.
There’s just one problem: the main system responsible for preserving people’s anonymity, encryption, is under attack as worldwide governments increasingly see it as an obstacle. The UK Online Safety Bill (now law) is just one of the many regulations attempting to break encryption on security grounds.
The stakes are certainly high for the future of privacy and security.
That’s why the Global Encryption Coalition (GEC) decided to host Power to the People: The Encryption Summit. The online event includes a total of five panels, aiming “to celebrate the many ways in which encryption makes us powerful, investigate the regulatory challenges facing encryption, and unite our community.”
I’ll be reporting the expert insights as the event unfolds, so scroll down our live blog coverage below to keep up.
The first panel hosted by India-based advocate group Internet Freedom Foundation is about to kick off.
Power to the People! #GED2023Join us today at The Encryption Summit, as we celebrate our right to privacy and fight back to ensure everyone, everywhere has access to encryption. https://t.co/aOfYgFsUoeOctober 19, 2023
Speakers will delve into the importance of encrypted communication for journalists in South Asia and how regulatory efforts to undermine encryption in the region could threaten freedom of expression and a free press.
The speakers started by giving a glimpse of the political context of three South Asian countries (Pakistan, India and Sri Lanka) where new digital regulations are feared to cripple digital public space. Different countries, similar issues and a common sentiment: “It will always get worse.”
The Sri Lanka Online Safety Bill is especially putting encryption at risk. On this point, human rights lawyer and activist Ambika Satkunanathan said: “The all purpose of the Bill is to create fear among the average citizens, but also human rights advocates, political dissidents and journalists.”
Despite protecting encryption being important, according to Seema Chisti (Editor of Indian news outlet The Wire), it is even more so calling for the same protection for physical devices which get regularly confiscated by authorities.
Secure VPN services and encrypted messaging apps like Signal are fundamental tools for journalists, lawyers and any other citizens. Yet, as Farieha Aziz, co-founder of digital rights advocacy group Bolo Bhi, said: “In a lot of circumstances these protections don’t hold.”
The next session is going to take a deeper look at what client side-scanning technologies are, the issues that come with these solutions, and how some experts are fighting those back.
Scanning devices is not a reasonable alternative to “breaking encryption”.Join our panel on 19 Oct at 12:30 UTC to learn the problems with client-side scanning in legislation with Dr. S. K. Witting, @mer__edith, @neetibiyani, @pgbernardi, Roberta Battisti & Ella Jukabowska 1/2 pic.twitter.com/xGrDwkqKQnOctober 17, 2023
Robin Wilton from the Internet Society started by explaining what client side-scanning is. He says: “Client-side scanning is the process of inspecting what you write or send, either before you encrypt it for transmission or after it is decrypted.
Encrypted communications have for a long time been a block box that governments want to access,” said Paula Bernardi from Internet Society. In the past, authorities were looking to use backdoors to bypass encryption similarly to opening a confidential letter before the receiver. Now, side-scanning will work as someone standing over your shoulder and reading what you’re writing, explains Bernardi.
Why are governments trying to enforce such a dangerous tech, then?
Similarly to anti-terrorism invasive legislation after 9/11, now preventing the spread of Child Sexual Abuse Messages (CSAM) is the main reason behind regulations like the UK Online Safety Bill, EU Chat Control, and more.
Talking about the EU Chat Control proposal, Dr. Sabine Witting said: “The proposal gets it wrong completely because it creates the impression that privacy is a threat to children’s safety rather than a precondition of safety.”
She lamented how the fight against CSAM has been portrayed as either pro-privacy or pro regulation on behalf of children, without asking for their opinions and views.
Ella Jakubowaska from European Digital Rights (EDRi) said: “We are invested in this work because for years people have been saying we want Big Tech out of our lives and logging our data on everything we do. We don’t want them in our perosnal intimate moments, our private chats. And now, this proposed EU law is saying they should be mandates to be inside these conversation, to act as kind of interent police.
“Encryption is something that empowers all of us, even when people don’t realize it.”
“We are not in the 90s anymore,” says Signal CEO Meredith Whittaker. “What we are up against now as a technical expert community is an emerging industry of AI scanning and biometric companies that are incentivized to claim that in fact it is possible to do scanning of end-to-end encrypted data safely and privately.”
According to Whittaker, the tech community needs to stand unite and call out “not just the government lies, but also the industry commercializing and marketing tech in ways that are so dishonest and could be so dangerous for fundamental human rights.”
In the next panel hosted by Mozilla, firm behind secure web browser Firefox, explain how encryption is also used outside personal messaging services and which are the policy challenges and opportunities in these areas.
E2E is, in fact, employed to protect computer systems, secures financial payments, and shields medical records and browsing behavior from prying eyes.
According to Alexis Hancock from the Electronic Frontier Foundation, what’s most worrying is that encryption is being framed as a tool used for nefarious means.
She said: “We have to be careful how we are framing security, how we are protecting people. It’s about the impact and harms that can happen from legislation. Not every government is acting in the best interest of the people.”
Talking about regulations around encryption outside messaging, researcher on network security, censorship, surveillance Gurshabad Grover said: ” We need to reevaluate how to reconcile our control of our devices. We do want full control, and we want our devices to do whatever we want.”
Speakers went on talking about the importance of digital trust.
Open-source systems can help on this front as they enable anyone to verify and check the code for vulnerabilities. Yet, they warn, regulatory tensions on encryption could also impact this side of software development as developers in some countries could be prevented from sharing their encryption algorithm.
Panel hosted by the Center for Democracy and Technology (CDT) on the challenges for digital services to comply with content moderation regulations on illegal and dangerous content is now live.
Many of these services providers need to juggle new requirements, without compromising encryption and users’ security.
So, how can social platforms monitor and halt the sharing of illegal material on encrypted platforms?
Iria Puyosa from DFRLab explains how Meta-owned WhatsApp still widely relies on users reporting spam, abusive or dangerous content directly to the platform.
That’s why, according to Riana Pfefferkorn from Stanford Internet Observatory a “robust report flaw” is needed across all platforms to empower users. “Another part of the technique would be metadata analysis,” she added.
Speakers also share some interesting findings from their researches investigating how users, especially the youngest, use social media platforms and actively shield themselves from online dangers.
“The underlying problem with a lot of the policy responses is that it fuels people as passive participants that need 24/7 supervision online,” said research director at CDT Dhanaraj Thakur. “What we would like to see is in terms of what can be done to improve the agency of young people online to deal with unwanted content.”
The last session of today’s Encryption Summit organized by Global Partners Digital is taking a broader look at the importance of encryption in the communications in various communities across the globe.
We can expect examples of how encrypted communications have helped empower marginalized communities and users living under strict surveillance, with discussions on how researchers and activists can help promote online security in the future.
Caroline Sinders, founder of Convocation Research and Design Labs (CoRD Labs), talked about the danger when vulnerable users think they have security/privacy, but their communication is actually open to surveillance.
She described her work with vulnerable users, including US citizens living under reproductive data surveillance, and how digital literacy training was needed to help them understand which platforms should use (such as Signal) or avoid (like Facebook Messenger) as encryption is not necessarily turned on.
Also Diana Gheorghiu, Legal and Policy Officer at Child Rights International Network, stressed this sense of false security. She especially focused on how undermining encryption will ultimately making children more vulnerable online.
“Policymakers should identify the goal first of the policy and then consider the range of option which could be of technological nature or not that could be implemented in order to achieve the policy goal,” she said. “Encryption poses only benefits for privacy and only risks for the protection of children.”
So, what should digital rights advocates and experts focus on within their fight for better security online for all?
“Applications that have encryption should be turned on by default. One of the things we are worried about is the danger of feature creep,” said Sinders.
Also for Robert Fabricant, co-founder of Dalberg’s Design Impact Group (DIG), “this is not a technical problem, it’s a design problem.”
He said: ” We need to move beyond a dialogue on the technical elements like encryption, but instead think about trust more broadly and how encryption can help us set the stage for a more productive dialogue.”
And with that, that’s a wrap on my coverage of the Encryption Summit!
It’s been a very interesting few hours as speakers shared their knowledge and research findings, giving us a glimpse on what’s at stake for a world without encryption. Stay tuned from more content on TechRadar about new policies and tech solutions on this front.