6 min read
Summary Report – Terrorist Exploitation of E2EE: Policy Responses
Claudia Wagner May 17, 2022 9:00:50 AM
On 20 April, Tech Against Terrorism organised a roundtable discussion on “Terrorist Use of E2EE Services: Policy Responses.” This event marks the second session of a three-part roundtable series on assessing and countering terrorist use of end-to-end encrypted (E2EE) services that aims to highlight risk mitigation strategies that safeguard privacy and security. This session saw participation from counterterrorism experts, digital rights advocates, and government and tech sector representatives.
The roundtable series is being organised following the publication of our landmark report on “Terrorist use of E2EE: State of play, misconceptions and mitigations strategies”.
Key insights from the roundtable:
- All participants emphasised the issue of ensuring that policy responses proposed are proportional, and agreed that E2EE is a necessary privacy and security tool. Some participants raised that the weakening of E2EE in order to counter criminal use of encrypted services is too great of a cost and proposed policy responses are not proportional to their stated aims.
- The extent to which law enforcement benefits from legislation which provides lawful access to encrypted data is unclear.
- Tech companies highlighted how the onus is being placed on tech companies to bear responsibility for content on their platforms, emphasising the need for more discourse between regulators, policymakers, and tech companies to create meaningful policy responses.
- Participants highlighted that some countries and governments are better equipped for a public debate on how to mitigate terrorist use of E2EE whilst safeguarding encryption than other countries. Related to this, participants highlighted the importance of including online users and the general public into the conversation of ensuring both online and offline security.
- It is important to consider the offline and online threat and to assess the threat of terrorist use of the Internet (TUI) across multiple interconnected platforms. A risk management approach is the most important step, including banning individuals and organisations and enforcing against recidivism and understanding how terrorists operate and behave. Proactive scanning for content is not consistent with the privacy and security guarantees of E2EE. Mandating tech companies to proactively scan E2EE content or provide access to unencrypted data to law enforcement raises important legal and ethical questions, in particular questions of jurisdiction, fundamental right to privacy, and safeguards against abuse.
Policy responses to terrorist use of E2EE: Overview of existing responses
Tech Against Terrorism provided an overview of existing tech platform and government policy responses to terrorist use of E2EE. In terms of tech platforms’ policy responses, most encrypted messaging services have Terms of Service that prohibit content and behaviours and can ban accounts, and some specifically prohibit terrorism.[2] Mandating tech companies to proactively scan E2EE content or provide access to unencrypted data to law enforcement raises significant legal and ethical questions. Policymakers’ calls for lawful access to encrypted content have led to an increase in legislative proposals that may directly or indirectly impact encryption. Legislation and legislative proposals impacting E2EE often lack safeguards to ensure that users’ fundamental right to privacy is upheld.
Tech Against Terrorism highlighted the state of play of legal responses to criminal use of E2EE. Legislation impacting, or with the potential of impacting, use and offering of encryption can generally be divided into three categories: lawful access for law enforcement (CT motivated)[3], detection and moderation of illegal content (CSAM and online harms motivated)[4], and traceability requirements (online harms motivated).[5]
Tech Against Terrorism outlined legal and ethical questions with regard to legal responses to criminal use of E2EE. For example, in terms of jurisdiction, fundamental right to privacy, and safeguards against abuse.
Terrorist use of E2EE: Policy Responses
All participants agreed that E2EE is a necessary privacy and security tool. Where the aims of access to encrypted information should be proportional, weakening encryption is too great a cost. Mandating access to encrypted data will not be effective in achieving its stated aims as dark net platforms and encrypted archives will persist and increase in response.
The participants discussed the global legal landscape of encryption legislation, particularly legislation that provides lawful access to encrypted data. Participants emphasised how the extent to which law enforcement benefits from legislation that provides lawful access to encrypted data is unclear. Governments such as the UK and Australia have passed law enforcement access laws but have avoided using them. Participants questioned why governments are pushing for more E2EE related legislation when they already have access laws. Participants highlighted that the framing of this conversation should be less around wholly safeguarding E2EE or breaking E2EE – rather, the conversation should focus on how we can best prevent abuse with the assumption that E2EE is safeguarded.
The discussion highlighted how despite having access laws, governments continue to call for new legislation related to E2EE. Tech companies highlighted how the onus is being placed on tech companies to bear responsibility for content on their platforms, emphasising the need for more discourse between regulators, policymakers, and tech companies to create meaningful policy responses, given the lack of coordination and collaboration between regulators and tech platforms.
Tech companies emphasised the issue of ensuring that proposed policy responses need to be proportional to their aims. They questioned what a proportional approach would be to solutions such as the example of analysing metadata. Participants highlighted that undermining encryption in the attempt to ease investigations is not proportional as it undermines the critical foundations of people’s personal lives, international affairs, and trade. The safety of all should be prioritised over attempts to increase monitoring tools.
Related to the question of proportionality, participants also discussed lawful hacking. They highlighted that this represents more of a targeted interference than a weakening of encryption altogether; but nonetheless raises important legal questions that should be addressed as lawful hacking is already a common investigation technique for certain law enforcement.
The discussion also highlighted how some governments are better equipped for a public debate on how to mitigate terrorist use of E2EE whilst safeguarding encryption than other countries. It is therefore important to consider the government one is working with and especially important to work with local partners. Some governments have attempted to bring more of the “public” into the conversation as demonstrated by Pirate Party in Germany’s Chat Control Poll which provided enough context to allow participants to get a good understanding of what the monitoring of encrypted conversation entails. The Chat Control Poll asked individuals if they personally would want their messages to be screened. Ten EU countries participated and the significant majority rejected the idea and method of having their messages screened, but to varying degrees.
Looking forward: risk mitigation strategies for tech companies and innovative law enforcement investigation techniques
Participants noted it is important to consider the offline and online threat and assess the threat across multiple interconnected platforms. Risk management approach is the most important step, including banning individuals and organisations and enforcing against recidivism and understanding how terrorists operate and behave. Participants questioned whether there are possible avenues to provide positive use cases of encryption and the importance of encryption for one’s security, both online and offline.
The discussion also highlighted the importance of limiting the extent to which malicious activity can occur through ensuring secure system design. Participants emphasised that proactive scanning for content is not consistent with the privacy and security guarantees of E2EE. These questions and alternative mitigation strategies will be at the core of the third roundtable of the series, which will discuss risk mitigation strategies for tech companies and innovative law enforcement investigation techniques.
BACKGROUND TO THE SERIES
Strong encryption is the backbone of data security and online privacy. Internet users realise this, and tech companies, in particular messaging services, have increased their offering of E2EE services in response to user demand for privacy. The increased popularity and widespread use of E2EE has led to government and law enforcement concerns over terrorist exploitation of encrypted communication channels, and many governments are exploring ways to grant law enforcement access to encrypted communications, or to introduce obligations for service providers to monitor these communications.[6] This has in turn caused objections from both tech companies and digital rights advocates, as well as security experts.
The roundtable series is being organised following the publication of our landmark report on “Terrorist use of E2EE: State of play, misconceptions and mitigations strategies”, which provides a comprehensive overview of the risks and mitigation strategies related to terrorist and violent extremist exploitation of E2EE services and outlines recommendations for governments and tech companies. We are organising these roundtables to facilitate constructive dialogue and build trusted relationships between tech platforms, governments, and law enforcement, as well as counterterrorism and digital rights experts to outline a pathway to countering terrorist use of E2EE without “breaking” encryption or violating privacy.
[1] In an opinion on the EU Proposal for temporary derogations from Directive 2002/58/EC – the EU’s ePrivacy Directive – for the purpose of combatting child sexual abuse online, the European Data Protection Supervisor laid out the requirements that should be met by any measure interfering with “the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications”.
[2] WhatsApp, Wire, Line, and Telegram all have specific prohibitions related to terrorism.
[3] UK Investigatory Powers Act 2016; Australia Assistance and Access Act 2018; EU Resolution on Security Through Encryption and Security Despite Encryption, 2020.
[4] UK Online Safety Bill; US EARN IT Act (proposal); Singapore POFMA, 2019.
[5] India 2021 Social Media Rules; Brazil Internet Freedom, Responsibility and Transparency Bill
[6] For instance, the United Kingdom and Australia have both passed acts governing the possibility for law enforcement to request access to normally encrypted data (respectively the Investigatory Powers Act of 2016, and the Assistance and Access Act of 2018), The European Union has been calling on tech companies to be able to detect certain types of illegal content, notably child sexual abuse material, on encrypted services with the Strategy for a more effective fight against child sexual abuse (July 2020). In certain jurisdictions that have recently passed regulation on illegal and harmful content, or are in the process of passing one, requirements for platforms to counter the dissemination of illegal and harmful content also applies to platforms offering E2EE. For a more complete overview of governments’ call for access to or monitoring of encrypted communications, please see Section 8 of our report on terrorist use of E2EE.
European Data Protection Supervisor (2020), Opinion on the Proposal for temporary derogations from Directive 2002/58/EC for the purpose of combatting child sexual abuse online.
- News (254)
- Counterterrorism (55)
- Analysis (52)
- Terrorism (39)
- Online Regulation (38)
- Violent Extremist (36)
- Press Release (35)
- Tech Responses (35)
- Regulation (33)
- Europe (31)
- Government Regulation (27)
- Academia (25)
- GIFCT (22)
- Reports (22)
- UK (22)
- US (20)
- USA (19)
- Guides (17)
- Law (16)
- UN (15)
- MENA (13)
- Asia (11)
- ISIS (11)
- Workshop (11)
- Presentation (10)
- Fintech (6)
- Far-right (5)
- Threat Intelligence (5)
- Webinar (5)
- Propaganda (3)
- Region (3)
- Submissions (3)
- Generative AI (2)
- Op-ed (1)
- Tech Against Terrorism Network (1)