The following are the outputs of the real-time captioning taken during the Tenth Annual Meeting of the Internet Governance Forum (IGF) in João Pessoa, Brazil, from 10 to 13 November 2015. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record.
***
>> MODERATOR: Okay. Welcome to this workshop on the pol tings of encryption. By planning our by accident, this schemes to be a nice follow‑on to this morning's workshop on encryption. We've going to try to avoid going over a round that is too similar to this and try to concentrate really on the more political aspects of how we make decisions about encryption. I'm Bill Graham. I'm the moderator of the session and we have with us today (inaudible) at this end. She's a member of the European parliament and she's also a commissioner on the global commissioner for global Internet governance. Then we have Andrew Sullivan, the chair of the board and based on the internet performance company. Then we have Danny O'Brien. To my right we have baRon. Then we have Frank Pace from the Phoenix police department. Then we have Mohammid from the association of progressive communications and I apologize. I am sure I mispronounced your last name there.
So as we found this morning in discussion, encryption is basically a basic building block on the trust of the internet posts snowedden revelations. Although, I don't really think that made much difference. It was a basic building block that we hadn't got around to. It is needed to insure freedom of speech, privacy and to facilitate commerce on the internet. Levels of encryption range along a continuum from me encryption to an unbreakable level of encryption. Technology politics and public sentiment all factor into determining this socially optimal or the appropriate or the agreed level of online encryption. The balance won't be static either over time or across countries. Often technological moves to break the encryption by state agencies and are the queuing a proverbial war. Extreme political positions which we have heard either in favor or against encryption generate the opposite. So this afternoon, the experts have been asked to come together to talk about the politics of encryption. So without saying anything further, I think I'd go through our speakers in alphabetical order for lack of any better reason and ask them to speak for about 4 minutes as an introduction to the topic and then we can go to open discussion. So first, Lauren Bernard.
>> I work for the ACD is a government of organizations which addresses economic and social issues. It doesn't deal with national security, law enforcement, the fight against criminality, et cetera; however, once in a while, there are areas where there are issues where there is an overlap between something that relates to economic and social prosperity and law enforcement of national security. When these issues are required on international discussion, sometimes they come to the ACD and we have a dialogue. This is exactly what happened in the 1970s or more precisely 1996 and 1997 whereas the famous crypto WAZ took place. At some point, OECD members countries were to be the place to discuss and develop public policy principles for crypto policying. And so the OECD adopted in 1997 guidelines for crypto policy which has been reviewed every five years since then and members agree that they were still relevant. They are considered still relevant. We are not currently having a project on crypto policing, but it may be an interesting starting point to go back to these guidelines and I'm not going to project them at length on the website. But they include a set of principles that policy makers should consider and should actually implement in developing crypto policy. They don't say you should do this or that. You should regulate or not regulate. They're saying whatever public policy for encryption you are ‑‑ you develop. Pay attention to these and try to respect these. And if there should be a challenge in today's crypto policies, there can be a good starting point for thinking about it. I think we agree ‑‑ I won't be long. One question is relating to that is okay. If we think about the 1970s and the first crypto, what has changed? Many things have changed, of course. But has something really fundamentally changed that requires something new at the policy level? That may be a way to discuss the question. I'm asking more questions than responding. Thank you.
>> Bill Graham: Thank you, yes. I will turn over to Danny O'Brien.
>> Danny O'Brien: So I think it's interesting that we've returned to this sort of terminology and the crypto wars or the war on crypto and I think like any war on an abstract concept, it is should what futile. So I think what I'd like to just briefly discuss is not so much the politics of encryption, but the policies that go around encryption. Encryption is a fact of the universe. It's a mathematical absolute and I think even with the knowledge that we now have about just how much attention the NSA and presumably many other security agencies play in attempting to break the encryption we have right now with relatively confident that is something that can be preserved. But there's a huge amount of other powers and using capabilities that states and others can use to undermind the use of encryption. And I think ‑‑ one of the first things that happened after the snowedden revelations, at least at the electronic frontier foundation offices is we started kicking this idea that maybe we lost the first crypto war. Maybe what happened is essentially the strategy had changed from being a direct attack on encryption to just accepting the momentum in the inertia that the majority of data sent over the internet is not encrypted not through any force, but simply because people prefer an easier way of sending their data and the NSA used that to create mass surveillance programs. So in response for that, one can create a count narrative and a way of protecting the capabilities of encryption that enable so much previously and free communication. But increasing that level of encryptionon line, I think that's already happened. I'm sure most of you have seen that very pleasant curve of seeing how much material now is encrypted as it passes through the net. We're working on a project that we will all launch very soon. Hopefully we'll make encrypting websites trivially easy online. But that brings us to what the counter response to that response is going to be and I think we're seeing that now. And I think I would like to point out that I do not think that it's about creating back doors in the way that we understand it in encryption. I think it's about creating a enforcement mechanism around the devices that use encryption that allow that encryption to be undermined either in an individual case or more widely and given that I have spoken over my time, I will happily expand on that later.
>> Bill Graham: Good. Thank you. There is plenty to fall back on there as well. Our third speaker will be Frank Pace from the Phoenix police department.
>> Frank Pace: Good afternoon. As mentioned, I am involved in cyber investigations and digital fronts for my agency and we work with federal partners in the area of investigations. That's the first point I would like to make. I made that point earlier today and I think it's critical when we talk about the politics of encryption because there's a clear delineation at least within law enforcement and the intelligence services on our objectives and why each one of us have our needs to that information at times. What I would point out is that within law enforcement, we have a mandate for public safety. That is the cover function of government to protect the citizens from harm and that it involves now frequently having to have access at times as part of our criminal investigations access to encrypted data. Not all the time. But frequently. And the access that intelligence security services may have differs. And they have different reasons for that, but we need to understand thatstration and when the argument is made for law enforcement, law enforcement, of course, has to work under the confines. They're legal instruments that require authority to have access to that information. We know that we have established our probable cause for that. I think that being said, that would help maybe set the path forward to our discussion here today on the differences between what law enforcement does, what the NSA does and then we can move forward on how we have suggestions and the suggestions I have to where we find a middle ground to where encryption is acceptable and how we go ahead and find the path forward.
>> Bill Graham: Thank you very much for that. Turning now.
>> Thank you very much. I hope we have a lively discussion and a lot has already been said so I will try to be brief. But just a few words about the politics from where I sit and a political organization. I am a member of the European parliament. So I have seen a transition in the discussion about encryption or the balance or approach to security and rights when it comes to the digital environment. And I think we are facing what I want to call today a security paradox where intelligence gathering has been legit myselfd. More access was sought to people's communications. Mass surveyance and collection and people eyewitness the services of. Now on the other hand, the technology that can help 100% secure people's data in the information flows is not desired. By law enforcement and intelligence services, I really think this is a major paradox. While everybody in political circles seeks to have more cybersecurity guarantees and understand that risks in critical infrastructure make us vulnerable for text and it is a good solution which is should not be undermined. This was an opinion voiced by computer securitiry searchers under keys of door mats on a report, which I am sure many of you have seen. So what I'm observing is that the debate has really changed one, of course, after we knew more about what the NSAin was up to thanks to the work of Edward snowedden. Also only when companies started speaking out and refusing to weaken encryption or to have keys they had to potentially be forced to hand over to governments has the debate really changed and had a lot of actors and also politicians and make a new calculation where interests lie. And I think that one of the risks is that we talk too much about the technological aspects or the specific qualities of encryption and that we don't talk enough about the principles, thethics and the law underpinning it. The kinds of deliberations that have to be made today about encryption may be about something else or another kind of technology, quantum computes or whatever tomorrow. And I would like and hope on a political level we go back to a principle discussion where individual rights are legitimate enough to protect. So I want to end there, but just point out to you now that we're here that the global commission on global governance which I am member, but there are 29 very different individuals working together to try to crack questions around government. We brought out a statement that seeks to build trust in Internet and seekless new balance and relation between the different stakeholders and I found it interesting and also encouraging that people with a very strong national security background like Michael Churna or Edward Bowman had corn census not to weaken encryption, not to require back doors in technologies. So I observe that there's a shift into thinking about what may have seemed to be wisdom or legitimate to aspire to 100% security or to have mass collection of dat in the name of intelligence gathering is now being rethought and a new conclusion is drawn up by at least some people that once were taking a different approach to there. So hopefully that is a broader trend in the European parliament. They're more aware of why it is important and I hope we can continue to approach any question about security with the right freedom of people in mind first.
>> Bill Graham: Thank you very much. Just a quick note that you can see that statement that she's just referred to on ourinternet.org. Andrew Sullivan, please.
>> Andrew Sullivan: Thanks. So the brief for this panel asked the question how much encryption is enough. And I think that that's a funny question in one sense and in another sense, I think it goes right to the heart of what we need to ask. The internet architecture board concluded a little while ago that pervasive surveillance and other kinds of attacks on the way people were using the internet were an attack on the network itself. So the right people turns out to bed amount that is necessary for people to have confidence in the network, to have confidence in their data the way it is carried on the network and, of course, to have confidence in the data at rest. That turns out to be a lot more than, you know, people have that confidence in their heads. It turns out they need to have that confidence even if they don't think about it. When there are revelations of data breach because somebody has been careless with their encryption, what happens is everybody's trust in the network is eroded. I come to this from a technical point of view. What is this technical guy telling us about policy for and my response to that is that the internet is a network of networks. It only work when people exchange the peakets freely and are willing to do that voluntarily. It is not a centralized system imposed by the top. People have to have that confidence in the network for it to work at all. So in order to have an internet, we have to have people who have confidence in the internet and in order to have that kind of confidence, people need to know their data isn't going to be misused and so on. And there really isn't a way to do that without strong encryption and without it being ubiquitous. That's the way it's got to be and the reason it's got to be that way because otherwise we don't have the internet at all. Thanks.
>> Bill Graham: Thank you, Andrew. So finally, I turn to Mohammid Terayi and hear for your view on this spacing.
>> Mohammid: ABC as a virtual organization global network our expertise comes in part from our practice tools that insure confidential and private communications critical for our work and members and partners. I will be presenting a case on how encryption and in particular anonymity and power groups are at risk specifically targeted to on line violence and agenda rights activists. It established in 2001 backed right to use encryption. The rights and principals also folks to online anonymity as portion principles on internet and freedom. The advent of ICTs use applied photography including online encryption to be able to verify integrity due to clinical limitations as well as interference, but state and non‑state actors. State has an application to possibly insure that people have a right to free expression. They need to insure that applied cryptographic solutions are widely available. This panel asks what is the appropriate balance of encryption online? For us, it's not an issue of balance. It is vital to enable free expression and the right to assemble online. The lead seas project (inaudible). They say that like free speech, the right to whisper is a necessary precondition to society. Without civil society languages and political freedoms that are curtailed. In another aspect, ABC (inaudible) found that due to interactivity and technology the targets of hate speech and online have engaged with interaction with agreesors and acting as passive victims. The former have the opportunity to exercise effective responses. And level in South Africa, research found that ability for ‑‑ it's a significant factor that contributes to full use. As documented in the case sturdies developd from research where mapping women's experiences of violence against women, they strategize against violence against woman using the same technology that perpetrators use. They can empower (inaudible) and it is used to shield violence against women. Laws and police limitations on anonymity and encryption with protecting victimness of violence does not protect against violence or serve their needs. They establish that it is a trite choose, express and experiment with diverse sexualities on the Internet. Anonymity enables this. Banning the use of encryption or undermining it ‑‑ a number ever countries have in place legal encryption or communications in the name of security and law enforcement. Back door and particular back doors. The task force choosing not to take a stance has made the following security constraints. It could have this function not have been present and the system is less complex than it could have had this function not been present. Being more complex, the risk is unintended security flaws is larger. It worked out even about it is not being used and lowers the security of the internet and for us, this presents a real risk. So we prefer to have full encryption, full anonymity and for law enforcement to use other sort of forensic methods to be able to do their jobs. Thank you.
>> Bill Graham. There we had our opening statements. Certainly a number of interesting and possibly controversial aspects raised I think by all the of our speakers rather than me asking questions or starting with the panel around, I think I would like to open the mic. There are two microphones. One here and one here at the very front. So are there any questions to start the discussion, please? I don't see any ‑‑ Oh. Wait a minute. If you could come up, please. Identify yourself, please. Thanks very much.
>> Mike Nelson with Cloud Flare provides encryption services. More importantly a veteran of crypto wars 1.0 when I was in the Clinton White House. I love the title of this panel because I think politics is driving a lot of the policy here and the most important political fact is that no critical leader wants to be in power when something really bad happens and it turns out the culprits had used strong encryption which had been legalized. You see this a little bit with the Obama administration now in terms of not wanting to pull back from the Bush‑cheney surveillance policies because if they did that and something bad happened, they would be blamed. Is there any way passed this fundamental problem that I think is motivating a lot of the hesitancy by political leaders to let encryption be open and available everywhere?
>> Bill Graham: Great. Please, Frank.
>> Frank: One I believe that where the dialogue needs to begin is just at that with the stakeholders involved and the encryption debate which includes law enforcement includes the security services, includes civil society organizations in academia and I think for several reasons. One, to provide some transpairencey and clarity to what it is that when from the perspective of government why we would need access to encrypted data. As a previously stated, the differences why an individual organization would want that access and I think unfortunately sometimes the politics clouds the reality. When the reality is that crime is just as pervasive as ever been in our societies and law enforcement has an obligation as do our security services to provide that protection, to provide that ability to combat crime. We need to put that on the table and we need to not let that come off the table by saying it's not an option for us to not have access to data when there is a legitimate and legal reason for that access. And I think as long as we start the discussion there, then we can move forward, but I think again my point would be let's not let the politics Cloud deal with realities of the world.
>> Thank you. Bad things will happen. Right? It's something politics have to deal with. Sort of other perspective want to offer a few bad things that have already happened without either clear ban or clear legalization of encryption. On the one hand, there's the acknowledge proliferation of hacking and are the surveyance technologies that consider a risk to security acknowledged by James Clapper that this is a problem. So that's the other side of the equation. I think we have to look at full picture with all kinds of metadata and specific communications still terrorist attacks and other attacks have happened. So we should also ask ourselves: Have we invest sufficiently in human intelligence and people that are supposed to connect the dots better than any ball connection mechanism might? We've also seen initiatives by law enforcement and for example, the Dodge ministry of justice. Let's get a legal Avenue to hack back to criminals. And then it turned out that it erases vital evidence, for whatever, when it comes to bringing to justice and people deal with child pornography and sharing images. Which is of course terrible. The best advice would be on that sense I agree to count to 10 sometimes instead of just seeking to do something and trying to have a broad spectrum of people looking at ethical, technical legal aspects and sharing knowledge with decision makers before knee jerk reaction comes back as a boomer rang.
>> Andrew: You know, it seems to me we're a little bit bad on the internet at politics. And I'm super selfaware here.
[Laughter]
But it strikes me that with other kinds of technologies if somebody came along and said well, we know that your safety is important and all the rest of that, but we've got bigger safety problems and we want some override. Imagine for instance, that the proposal was I want a magic stop switch in your car that any timeky come in and turn it off because I have a bank robbery in the way and I want to make sure all the areas are blocked. No one would agree that was a good idea. That would be an unbelievable intervention in a perfectly acceptable technology. But for some reason when computers are involved, ooh, it's magic. So now what you have to do is allow all kinds of strange intervention into the network undermining the variant of the network to do its job. This seems to be a terrible mistake. So I agree with you. No politician wants is to be there when a bad thing happens. And we've seen sometimes sort of over reactions. You can look at the security measures in the airline industry and some of them are effective and some of them are complete theatre. But the fact of the matter is if we persist in allowing other people to set the political terms of this debate, we will get what we deserve. This is a mistake and it's a mistake because the network is a vital and important tool that has enabled all sorts of fantastic developments in our lives. Can I not believe the things that I have seen in the course of my lifetime. It seems foolish to give that up because someone is afraid that somebody in the world will do a bad thing. We need it to be strong.
[APPLAUSE]
>> Bill Graham: Okay. Go to the next question or comment from the floor.
>> I am Mike. I too am a veteran of the crypto wars from 20 years ago. One of the things I found frustrating in that period was that many of the people with whom I debate or discussed this issue who were working for law enforcement would underscore they had procedures in place. They had search warrant requirements and other legal requirements that they had to meet. So that ‑‑ and that distinguished theme from mere snooping or intelligence gathering or bulk surveillance or whatever. The difficulty is that is only the beginning of an inquiry and not really the end. The argument frequently led to this point. They said I have a search warrant that's been approved by a J. we made a faith representation in the trib runnal. We have a right to have the information. That is not how rights work. The fourth amendment in the United States and what limitations and protections of privacy are in international agreements are about limitations on government, not about law enforcement rights. So I question you as to whether you are actually saying that law enforcement has a right to succeed if they have a warrant? Because the question raised by cryptography, by powerful cryptography is you may have a warrant, you may have done everything in good faith, but you may not succeed because technology is out there and worse, the mathematics is out there.
>> To answer your first part of the question, no, it's not a right. When law enforcement obtains a search warrant, it's legal authority. We wouldn't call that a right by any means. I would add to the example that you gave. Access to encrypted data when we do ask for such should be only a part of that investigation. It has been mentioned and I completely agree that alternative methods, conventional methods of criminal investigation need to occur to get us to a point where we need to be able to successfully argue and articulate why we need to have access to that information. There are several examples that I could give and a lot of them would be in the example of the interception of child pornography. When that occurs and that's often where law enforcement does get involved in the information as it's coming through when it's in data in potion as opposed to data at rest. That is only one small part of those types of investigations. We are acting on typically a tip that notifies us of an individual that is downloading illis it pictures and videos of children and in compromising positions that are illegal and allows us then to establish our probable cause to then further that investigation. Often times when we get to a point where we are now authorizing and writing a search warrant for that legal authority to have access to the devices and this is something else that we need to ready articulate and differentiate is when we have data at rest that sits inside of a computer, inside of a server or mobile device is much different than when we talk about the data that is being looked at over a network. If we at times don't have access to that information or when we do serve that search warrant, we have done traditional police methods. We have looked into the background of the individual. We ever looking into the images of where they originated from and we're try fog identify who the victims may be. When we get there more frequently than not, we are finding those individuals are using encryption. And if we do come across an instance where everybody device and method of digital storage that contains that evidence that we would need is encryptd and we don't have access, we may very well not be able to prosecute that individual that we knew we could prove to a certain extent had downloaded that type of material. So that's where to answer your first part and then to further on the fact that yes. Alternative methods and traditional methodness of police work are very much a part of what we should be doing.
>> Hi. Natalie Marcel from the University of southern California. At least in the U.S. context, the arguments we have about encryption and about guns follow virtually the same arguments. Some people really hate and are afraid of. Some people are really attach to that can be used for good things defending yourself from someone that is trying is to kill you. Yet somehow, we come to a completely different result about this. I think period Obama said it best where apparently as a country we decided the price that we're okay with a new town almost every week but somehow encryption, which to my knowledge, no toddler has ever shot another one with encryption is not okay. To the whole panel, why is it that we have the same argument about two different things but come to completely different conclusions about it?
>> Bill Graham: Thank you. Well, let's see. Mohammid, you want to start on this? We can just walk across the table.
>> Homaimid: Well, I'm not sure where to start. It has to do with the U.S. and the context of it, I would guess. You have other countries where guns are controlled heavily and they live just fine and nobody gets shot every day. Things like ‑‑ the difference here in this case, encryption and guns in this particular context are somehow privilege. For example, who is allowed to use encryption these days? Governments do? When government encryption gets (inaudible), it's a crime. When people encryption gets cracked, it's not a crime. So that's the only proof. But for us for what we're advocating is it's not encryption as a privilege. Encryption, just to (inaudible) to a global context, other countries that don't have a stronger law or may not have good judicial oversite, encryption is vitality for people in these countries in order to exercise their rights. Within this context, encryption is taking back something that was always ours. Yeah because I think like looking up the changes in the last 30 or 40 years, this ‑‑ the fact of mass surveillance plus the (inaudible) colony is one of the worse things that has happened to human rights. Of course that's one of the mange ones about we look back. Thank you.
>> Frank Pace: One to follow up with Mohammid's comment. If you're the victim of your own encryption being compromised, that is a crime. We do that frequently by investigating. Regarding the second amendment, as you're aware, there is no laws regulating the public's right to or possession of encryption; however, with the ownership of fire arms, there are. In the U.S., we have very lenient laws on that, but there are laws. And like wise when someone uses a fire arm to commit a crime, there are laws to address that as well. My response to you would be: Should we have laws that would allow us to have access to that information if we were able to prove that someone used their encryption for criminal purposes?
>> Thank you for the question. You bring ‑‑ you bring up a point with an organization with the country being discussed as a member. Okay. You bring it from an angle that sounds like a cultural angle. The way to say is it is a cultural issue. I come from a country where I am French and our friends from the other side of the channel say that we eat frogs and they just don't understand that. The way the U.S., the attitude or the culture regarding guns in the U.S. may be seen from that other part of the world. It may be seen like a cultural issue. Can I bring did to a different level by saying perhaps there's a fundamental difference and it goes beyond encryption is that we're dealing with zeros and 1s. And for many, many people it's just a mystery. We don't really understand how it works. Eye gun is much more concrete. It I've never seen one. You can see how the impact and you can understand it. Encryption? Both encryption and the consequences of uses it or not using it, all of that is so much more complicated and complexifies the debates of another placing, which may be an explanation why you have these differences. Thank you. Perhaps just ‑‑ sorry. At this point, may I just make one remark. From the questions that are asked, it seems to me that we've talking about a technology that is legal and using this technology is legal. We've not talking about making it illegal. It seems to me that in the 1990s, it was before the Internet until 1997 or around, it wasn't a (inaudible) heavily regulated and it was deregulated. So what those that want to have end to end encryptions today are doing is fully legal. So we're talking about a policy or there's a debate on whether or not to bring some more regulation back in that space. We've not talking about something that is the reverse. I think it's an important to thing to remember because deregulated enabled a number of things. Enabled the internet as a platform for growth, prosperity and any areas that touches everyone. And so it's not just some aspects which are absolutely fundamental related to freedoms and freedoms of speech. It is also all the benefits that the regulation broke and that have to be understood in this complex of this policy discussions. Thank you.
>> I find itfainating that this is the political question that we have connected guns with encryption simply because my organization and many other organizations here spend a lot of time fighting in the 1990s because that's pretty much exactly the equivalence that was used to enforce export controls. Encryption that mathematics was did fined as ammunition effectively. You couldn't travel with. I think it is worth pointing out that we haven't entirely deregulate encryption. There was still licensing restrictions on the export and often the use in many countries that those requirements were often latent, but they're sitting there waiting for the moment that states that have controls and encryption and actually feel they need to enforce it because of the sort of disastrous scenario that's been mentioned. On the point just to try and dig a bit further. I think having lived in the United States, one of equivalence is here. When law enforcement and some of the press coverage that we see refers to encryption, it's the idea that the bad guys are using the encryption. Those are the people who use this terrible thing. I think one of the reasons why that argument is getting less and less is there's more people that use encryption, are familiar with it not as an aggressive way of protecting bad people, but actually a way that we all use to protect ourselves against crime. Now I think that we know that the lack of encryption leads to crime, leads to data being hackd and released and we know that we need to punish companies who are so lax in their protection of data that they won't encrypt it. We know the lack of encryption leads to national security incidents when those players stay actors. The shift here is that increasingly we see the users of encryption and the uses of encryption being used for good rather than exclusively for (inaudible).
>> Thank you for this incredibly productive question. And though I live in the U.S. right now, I actually was raised in Canada. We seem to have a lot of foreigners up here. Oh, I think are properly mistyifyd by the way people relate to guns because we didn't grow up that way. I think that there's an important other point and I'm glad this is called on politics of encryption because this analogy is a political one. That's what it's there for. It's there to cause an equivalence, a false equivalence and I think that part of the answer to why we don't do this is because we're lazy about those kinds of analogies. As a cultural move when somebody introduces that kind of analogy, you have to draw them apart. All analogies are come some ways false. You have to say here are the ways the things are similar. People use them and here are the ways in which they're dissimilar. If you can attack the analogy by saying this is dissimilar in this way and no one has ever died in the literal direct sense that they have died from a gun. People can make plans to kill people with encryption. I think that's a danger, but it's a risk that we take. You make the same thing with guns. There is a risk you take because people want to hunt and so on and the question is where is the boundary? Apart from that, the analogy is lousy. I think it is important to face those things face on.
>> I am happy to say I am a European that doesn't have experience with this gun situation you have in the United States. It is one of the most incomprehensible facts in open society. So instead of driving analogy, I think what is important also as decision makers is indeed, to weigh the collateral damage and the principle intention. What is the fourth amendment that allows for gun ownership or second allows for their should be a lot of questions whether it doesn't have much more collateral damage. So whether it is still appropriate now changing the constitution is very difficult, but with encryption, I think we have to look at whether the benefits outweigh the possible risks and it's not an easy discussion. I think it's very attractive to try to sit in one camp and defend that encryption is great and others to attack encryption and it probably doesn't get us anywhere. It is more and more difficult for them to have exclusive position to do so because we live in an increasingly globalized and hyper connected reality. So these are not easy discussions, but they have to be made with precision and I think we face the nation now where security and national security have been abused for excessive encoachments and violations of people's rights so much that it is absolutely fair to be suspicious of security as an argument to increase law enforcement. Individuals have to be protected over (inaudible) by government as well.
>> Bill Graham: Thank you very much and thank you for bringing us squarely back to the politics of encryption. We do have remote participation and, Eric, share Dean, you can read a question.
>> Eric: We have a question from Shawna Finnegan. She asks: Would the members of the panel supports encryptions to make them easier to use and have common platforms in tools we use? And if not, why would that be?
>> Bill Graham: In the interest of moving things along, I think I will limit it to two panelists to answer any questions. Are there one or two that would like to speak to that?
>> Just briefly. The E.U . has supported programs for human rights defenders, journalists and people who are attacked to be better able to protect themselves online. So that includes encryption, but it is not a direct support T. goes through civil society organizations and experts. I think most of these decisions are business decisions that integrate encryption into their business model and it is not directive coming from governance. That's probably appropriate.
>> I've already mentioned let's increment. We have many organizations across the high (inaudible) of the Internet infrastructure which would make encrypting your website communications easy to use and more importantly free. Currently, you have to pay a small fee to get a certificate so that's one aspect. One thing in teaching people about encryption is a new danger that's arising which I increasingly see which is journalists, human rights defenders in regimes learn about encryption are targeted and prosecuted and this is used as evidence they're terrorists. This is one of the most damaging parts of the collateral damage of this new discussion about encryption that it's being used to demonize people who are simply trying to protect their right to privacy. You see what's happening in Etheopia and (inaudible).
>> Bill Graham: Just very quickly, Mohammid.
>> Mohammid: We need more encryption everywhere. We believe that governments have to support policies that positively enforce that and encryption needs to be developed. Thank you. Am.
>> as it related a little bit to that. My name is Stuart Hamilton. I guess some people in the room know that librarians in the us were one of the first groups to burn back against the patriot acts and the records and information seeking. Right now in the U.S., there's a program called the library freedom project, which is running encryption classes in libraries and teaching people how to use encryption. And there was a library in New Hampshire which is the first library in the country to know that is hosting a tour relay. And I think it was last month or the month before. Local law enforcement asked the library to take that relay down which caused a little bit of controversy in the community. But after a big consultation, the library decided to restore the relay. So I'm trying to work out from the perspective with the international federation of library associations and more and more users are going to be learning about that technology and understand it. I'm interested in that conflict about when advising my members and publicly funded institutions and able to use to each and use encryption through publicly funded networks. I wonder if the pan hill any thoughts to advise me on how to take this out to my members because I think obviously public libraries are used by people who need access to the internet and they don't have access at home F. they don't have access at home, they should have the right to access encrypted facilities. I thought this was an interesting issue. Am.
>> thank you. The very first job I took after school was in a public library. We had controversies along these lines in those days. They were constant, but one of the things that I thought most valuable about the position that our chief librarian took and the board and my boss was that this was a place where people got to learn things and some things they wanted to learn in private. For the same reason they could take the book home and read it and we treated the fact they borrowed that book as a sacred trust that we would not give up to anyone. Therefore, they can learn about those things privately. I think this is a valuable thing for libraries to do. I think knowledge is not harmful and I think it's good for libraries to teach people about encryption. I happen to live in New Hampshire. I find it a little strange living in New Hampshire. It's an unfamiliar culture, but there are these occasions when I think the other citizens there really have a point and the slogan of the state is live free or die. Now, this is an unfamiliar position. I'm a Canadian, right?D Canadian motto is something like I'm sorry about that.
[Laughter]
But when they stood up on this, it really was that moment when they said look. We're doing things. This is a public library and this is a thing that you can know about. Therefore, it is good for you to know about it. I think libraries should continue to do it. I thank you for doing so.
>> Just very quickly. I'm a member of a hacker space that also runs a tour and people will go through the hanger space. It's been open for a very long time and this little note by the door that says in the event of the FBI dropping by, please hand them this leaflet. And it's a leavelet that explains tour and explains whatever they're seeing coming through is not an act that's coming from this particular building. It is just traffic going through the encrypted tour network. I think my point here is that we know librarians are incredible educators and the opportunity here is to educate law enforcement about the nature of this technology. And in their defense, I think many people would say the FBI and local law enforcement is very aware of tour, very aware of its beneficial uses because they use it themself when conducting investigations and quickly understand the benefits of protecting their privacy and the privacy of their citizens.
>> Bill Graham: Thank you. A question on the side, please.
>> Hi. I am Susan Morgan. Until the end of last year, I was Executive Director in global network. Just coming back to the title, I am interested to hear from the panel to what extent you have the challenges and policy making on encryption at least to some extent derived from the fact that policy makers have technical understanding or knowledge. If you agree with that, what do you think will be done to address it?
>> Thanks for the question and I think that touches on a topic that us in law enforcement and in government are trying to approach. That's executive awareness and I think the same could be said for political or politician awareness as well. Going back to the topic of the education of law enforcement, I would completely agree with that. With the evolution of technology and encryption as you could imagine even went FBI within local law enforcement, there's a select few that know exactly how it's employed and why it is employed and you have a larger portion of investigators or law enforcement officers that probably need to have more knowledge on that. I think that awareness needs to be focused at the highest levels of government so that one as we talk about what I had mentioned previously on the education so that they understand the policies that they will be agreeing to or not agreeing to and being able to interpret and make informed decisions that are going to impact both society and those of us in law enforcement as well.
>> Bill Graham: Thanks. Andrew, your point of view and experience in this.
>> Andrew: Yeah. One problem that anybody who lives at the technical layer has more or less all the time is that, you know, you read things in the newspaper and you just want to bang your head because there are these claims about what could be done. The standard view, for instance, just introduce this back door and it will be super safe and we'll keep it over here in the right hand pocket. And it will be always safe. And that sort of position is breath takingly wrong. And so you have to keep having that argument over and over again. That's very frustrating, but okay. Everybody knows that one now. What's the next one? I think the shorted answer is that, you know, I don't, for instance, naturally hang out in policy make areas such as the internet governance forum. I guess this is not a policy making, but policy discussing forum. But I think that this is part of what people who work in my line of work have to do in order to make good public policy. I know that there are limits to the advice that I can give. I know there are technical matters about which I can be competent and matters of how you balance certain legal responsibilities that I am not competent to comment on. And I think that that's something we need to figure out how to engage with. We're not particularly sophisticated at communicates that. I don't know what to do about it. So if there are people that want to give me a hand, I am well open to that kind of help.
>> Bill Graham: Good. Also from the legislators point of view.
>> Sure. In principle, I totally agree. I think there is a lack of knowledge, but I want to offer two points of reference. One is I have had moments where I wanted to bang my head against something. When I was in tech forum, where I heard assumptions about how policy is made. I think it is safe to say there is a need for sharing knowledge and also a need for appreciating the complexities on both sides. Simplification sometimes don't help. Then if you look at a parliament, there's always a division of labor. So, there are people that are working on agriculture policy and I trust them to know about agriculture policy. I don't know much about it even though I have to vote about it and this is the saint for everything. I think is it is important to concentrate on the decision makers, but also to make people aware how much technology has become a layer of everything and why it is relevant for many more people. So I think there's a great opportunity for sharing knowledge and for bringing people together who have tech background and who have decision making abilities and I would also encourage people who think the policies are wrong to run for office. And I'm not kidding. To join a political party or run as an independent or to change it yourself because it's easy to complain about those that are making wrong decisions. I understand. At the same time, if you have better ideas, we need you.
>> Bill Graham. And quickly from the perspective of an international civil servant.
>> That will be my personal perspective. Yeah. I think it certainly plays a role. Politicians who are in place have advisors. We call them policy makers and these advisors are there to understand the issues. So they organize. They walk on that and there is no reason to believe that they don't achieve some results in understanding the issues. I think I would like to take the opportunity to point to a challenge here, which is that this is an area where you have policy makers coming from different parts of the government. So you have I will simplify, but basically you have law enforcement and (inaudible) which are on one side and economic and social prosperity, freedom of speech, human rights on the other side. I'm simplifying. This is a typical issue where needs to be intergovernment dialogue. I'm putting it on the table because in 1997, it was really critical. We could see delegations coming. I was not there in 1997, by the way. I was told it was really, really interesting to observe that delegate ‑‑ a national delegation and it had two components which would walk together. Of course in the same government, but would have on the other side of the country two components and they would understand each other like in (inaudible). The law enforcement would say yeah. Listen to this guy here. On the other delegation, he's right, but not that guy. There is a need for intra government so that the law enforcement better understands his colleagues in same government views. And that would be a sign of more maturity in the policy debate.
>> Bill Graham: Thank you. To my right.
>> My name is Nick. I used to be a (inaudible) investigator for 6 and a half years up until recently. Worked in many major malware campaigns and I recently just moved into the policy world within the department for culture, media and sports in the U.K . It's been a really interesting transition for me. I've just come here to my first IGF and I would just like to welcome that question that was raised earlier. I would like to welcome in panel and this discussion, which I think has been excellent in my overeous life as a cyber crime investigator, I relied on encryption to have discussions with sensitive sources and disseminate sensitive intelligence. On the other side of the debates, I saw bad actors compromising machines and ex filtrating private data that can be seen. They were losing out financially because there was no way to know what had been taken and who you needed to alert and what you needed to alert them to. So it's a really, really great debate. But I also kind of think it needs to be seen around. So encryption is just one element of security, which we've been talking about this week. So I do think it needs to be seen around. I think points to people that have made checks and balances that need to exist, absolutely. That's crucial and fundamental to this. Yes. As I am moving into the policy world, I think it's great and I wish I had known about this before when I was a cyber crime investigator. There are so many people here. You have different backgrounds, experiences and views. I think this stake holder model is the best way, I think, to discuss these issues and come up with ideaings and solutions and be collaborative on this. So, my take home from this is I'm going to go back and speak to my government people and law enforcement people and dry and encourage them to come along. One thing I do notice, yeah, we probably need to have more people like Frank here with their experiences they can come and share to the party and meet the fan tastic people who have the technical knowledge or policy. So I think that's just my take. But I can work on this discussion and I think it's really great and the balance and the range of views and my take home is going to be that I will share this and tell everyone how good this is and how we can get more people involved in the discussion. So thank you.
>> Bill Graham: Great. Thank you for taking this. I will go to the mic on this side.
>> I do fair amount of research on the darkweb. By question is or more of a statement I want to get the panel to respond to. There is encryption of corn tent on the one hand and that's related to privacy issues and rights.Ern this there's Tour an anonymity. So there's a slippage I've noticed. So we're treating the two as the same thing. Maybe no back doors and encryption is okay, but online anonymity shouldn't be guaranteed. Something to that effect or if there are so intimately related that you simply can't split them apart. Thank you.
>> Bill Graham: Thank you. That was a question I was going to ask myself. Anyone willing to speak to that? Frank?
>> Frank Pace: They're one in the same that often times the movement of the encrypted data will be over a platform such as Tour that will allow for the anonymity and I think from the perspective of law enforcement, there are two separate, but the issues tend to come up similarly in the context that often times when we're dealing with investigations, they are using Tour to help move their encrypted data. We see the difference between it. I think personally in going back to some of the other comments that were made and especially from the last comment, encryption, I think, is something that is key even to the use of law enforcement and is ‑‑ I don't think you will find that we are opposed to that or specifically as it relates to the question about Tour. I don't think you were opposed to the right to anonymity; however, again it does pose a challenge. So that's why we're here to discuss that.
>> Bill Graham: Mohammid, it was you who raised these two words in parallel.
>> Mohammid: You can ‑‑ I think particularly in the case of surveillance, if you can (inaudible) someone anonymously and by end of time, you will collect enough information to identify them. For civil society and human rights defenders and people at rich, you can't tell them you can use encryption, but you can be anonymous and I can't see how you can separate them in that sense and they both rely on cryptography. That's the things that combines them.
>> I think I won. So it's true that encryption does give us more cape acts than just unbreakable messages. It gives us digital signatures and on the edges of mathematics and new technologies that block chains. So there's a whole class of things that if we decide to weaken or break, we lose a huge part of the financial infrastructure. Just to be specific on the relationship between anonymity providing services like Tour and the things that encryption give to prevent surveillance. Encryption in the simplest form can protect against surveillance in the content of divisions, but it is not effective in that way to protect against surveillance of metadata. I think one of the most fascinating things I found in conversations in the last few weeks with those connected to the security services some those looking into that is actually the trend is to concentrate ons surveillance of metadata. To some degree, the interception of content, which is often strongly protected isn't a big game that the intelligence services wants. They stop the collect metadata. To go back to my very earliest point, we may miss the strategies that just bypass this debate entirely and we'll be happy that the new U.K . law doesn't enforce back doors of prohibited encryption. We miss the wood from the trees and actually what is going on now is surveillance of metadata and we need to develop new technologies like Pond or so forth to protect against that.
>> Bill Graham: Thank you. Question on this side.
>> I am Samantha Bradshaw and I am also from the center of governance innovation. I was wondering if you can make one policy recommendation around the politics of encryption and what would it be to kind of move us passed this debate and to kind of get at reconciling the tension between privacy and security.
>> I think Michael left and I don't mean to pick on him, but he brought up the issue of crypto 1.0. He was involved in the Clinton Administration and regarding an attempt if you want to call it a back door with a clipper chip back in 1993. Only that was not successful and it was proven to not be very functional. That being said, I don't support nor do I think anyone in my community is openly going to believe that there's ever going to be a back door. Nor would there be an excellence in society for that. With that being said, I think what the discussion needs to focus on for a consideration for policy would be on trusted platforms for key escrow. That has been brought up by the Obama Administration and I think that in my opinion is the way forward for the consideration of policy to allow both ubiquitous encryption, but also to allow the functions of government of law enforcement with the ability to have access when needed with legal authority and do that though, develop that policy in cooperation with our partners in civil society and academia and the legislature so we do come up with a solution. I think that's where it needs to be geared for.
>>
>> I think you need to stop (inaudible) because crime is a risk of encryption. What you are seeing is that surveillance is an efficient law enforcement tool. It really isn't. (inaudible) (inaudible) of crime often will take extra measures to hide themselves and to upsteal themselves as to not appear to law enforcement. And normal people don't. People living ‑‑ and those people deserve the same protections as everyone else. So we need to start putting both of these together. If you put laws that somehow control or weaken or undermine encryption, it will negatively affect ‑‑ it will negatively affect activists and journalists and human rights defenders rather than affecting dedicate criminals.
>> Frank Pace: I think it would be naive for those of us in law enforcement to assume that those of us in the western world that are working under the scope of checks and balances and legal authority aren't aware of the fact that the same abilities that would be allowed to us to have access to data. Those same accesses that those same authorities can be used in other parts of the world for purposes that I think you allude to. It has been mentioned that part of the discussion that prohibit the freedom of expression and, of course, other issues that come up. With that being said, there's no assumption that because there's the use of encryption that there's the implication or that those using it are committing crimes. And I think that's where if there is a way forward with ubiquitous encryption especially for those parts of the world that now openly question the use, I think it would be less of an argument and more back to my point about having only that legal authority, but a legal authority that is through a trusted platform to have access.
>> Bill Graham: Good. Thank you. I see we've down to 10 minutes ever time remaining. I would like it if I can take both your questions at once and then do a walk across the table and see what responses we have, if that works for everyone. So first question, please.
>> Sure. It's actually not a question. It's a comment so hopefully it should be pretty easy to deal w I am setting BUVEAI.
>> Sir, don't think your mic is working.
>> I just have a quick comment. And close followers of D.C politics aught to be aware of this some might not. I wanted to give a note about what's been happening over the summer. We had pretty high level conversation about these topics in the U.S. government and a lot of this played out publicly. I think if you do some searching on the internet, you can go back and read lots of articles about this. About a month ago, and I refer to an FBI director Comby on this, after having a similar conversation and weak the encryptions, cybersecurity, commerce, et cetera, the needs of law enforcement and the environment where encryption is being increasesly used decided to not pursue legislation or mandate approaches to deal with the issue. So again, just to refer you to comments about a month ago, testimony from FBI Detective Comy.
>> Bill Graham: Thank you for that. Next question.
>> I have decided maybe life long am ‑‑ I appreciate your comments, but you were looking for trustd platforms. I understand the difference that mights problem a technical perspective. I am wondering if there's any difference from a policy perspective from the point of view of the panel between encryption back door and a trustd platform.
>> Bill Graham: Frank, you want to answer that.
>> Frank Pace: To expand on that, maybe we can talk about trustd organizations. Methods by which the key escrows could be held by government, but by a trusted third party. And to what extent we come up with that solution, I don't have the answer for that yet. I don't know and in thinking about that, that's where I think we would need to discuss with our technical experts on where do we ‑‑ where would we find compromise in a solution where there's no expected trust in government and if that's the case, then where would we find that trust? Where would that lie? Who would that third party should be that goes back to the chipper clipper where you have a hardware implementation. I don't think that what we're looking for. If anything, we're looking for a standardization of development of encryption methods as we move forward. But I would allow my colleagues here to expand on that.
>> Bill Graham: Why don't we start at the left side and then we'll just walk across.
>> I think in general, we really have to fundamentally think about what it means to defend the open society against attack or risk. What I observed is there's been a lot of erosion from within in the name of security. And this is, of course, eroded trust in a very serious way. And one way to rebuild trust is through having appropriate laws, not secret laws to make sure that people have abilities of seeking redress if they've been mistreated and also by government. In that sense, I fully agree that just zooming in on encryption would be to miss the point. We have to really connect the dots and look at what it is. Let's pause for a second and zoom out. What do we want to accomplish? I think the lesson from the United States and I think this is a painful one is actually that the overreach in the name of security has eroded trust in an enormous extent. Not only in the United States, but also internationally, I know more intelligence services do it. So I don't want to men point the United States, but we just know more about it and the magnitude of the tech economy and tech companies gained with the abilities and the powers of the NSA make for unique situations that merits scrutiny. As a result, this comes back to the point that was made that maybe allowed in the United States should not necessarily be allowed in other countries. Of course the credibility internationally is undermine. It is really difficult. That's why I mentionedd example of the U.K . as well. If social media is blocked after riots to say to China or another country that may seek to block social media, we don't think it's a good idea. We hear it every day. Look who's talking. I do foreign policy as one of my core responsibilities. Credibility and leading by example is really key. Not only vis‑a‑vis government, but also vis‑a‑vis citizens of this world who look to the open societies and their leaders to also consider their position. I think the Internet open internet has offered unprecedented opportunities for people globally and we have to make sure that we keep them in mind and not just talk about technologies. So what I think we have to do is give meaning to democratic values and principles in the content of hyper connected reality. Go is allowed and which technologies can be used by whom is only one very small aspect of that.
>> I'm glad we came here at the end to talk about trusted platforms. I started, of course, by saying the reason we need encryption and the amount that we need is to be able to trustd net work. What I meant there is that we talk about users and so on, but it's people who are using the internet and they want to bible to believe that their stuff what they're trying to do is not going to be undermined. When somebody talks about a trusted platform for escrow or something like that, the answer is in the actract. Oh, it's trusted. I don't know. I don't know what I trust on the network. What I trust is the stuff that I am doing and then I have varying levels of trust with the people I'm talking to on the other end. I trust the math. Therefore, what I want is the system that I can believe in because I have control over certain parts of it. That's the kind of trust that I can. If what you want to do is build a thrustd platform held by governance or some trusted third party or something like that in general, I don't think you're going to get there. I don't think that anything about human history gives us any reason to believe that people are going to trust in some absolute sense some individual or corporate body whether a government or otherwise. I just don't think it will happen. So instead I think what we need is to reaffirm the trust that people can have in the technical facilities they have available to them and I think that's why the strong encryption including all of the technologies and so on, I think that's what is valuable about them. They restore our ability to use the network confidently.
>> It was interesting as we ran through the list of things we don't trust. We don't trust governments. We don't trust companies and they're sitting there saying where are we going with this? Who do we trust. I had this moment of thinking that IGF is be the key escrow last resort. But I don't think so. I just don't think there's anywhere. You put your keys and they're the keys to your identity, they're the keys to your communication. They're the keys to every part of you. The only place you can really keep them is on yourself and fortunately, we have great human rights protections for documents and effects of our own private life that gives us protection when we held them to ourselves. But just to touch on this, how do we rebuild trust on all of these institutions. One of the ways we can do that particularly in the infrastructure has been profoundly by the revelations and that comes from the fact we see these attacks on the infrastructure by intelligence services that are really hidden away from the checks and balances we expect from open societies. Just to go back to the idea of a single policy decision I would make if I had your keys and I was the most trusted person in the world, what policy decision would I make? I would break up the signals intelligence agencies that we have. The intelligence agencies that are in charge of this and I think they have two roles that are conflicting. The NSA and equivalent countries intelligence agencies are supposed to protect the integrity and privacy and they're supposed to undermine it. We have to separate the offensive and defensive capabilities of the intelligence community. That way, we have a check and balance. That way I think we'd have the discussion within government about the importance and the extent of encryption. And I've been confident that encryption would win because we realize it is better to protect our security using it than to try undermining the world.
>> Bill Graham: (inaudible)
>> I don't know the response to these questions, but I know that if there is a need on the government side to find solutions to raise by law enforcement, these solutions probably need to come from (inaudible). What happened in 1990s, we had governments, businesses and a civil society. It was 1997. As I said, we also require an internal discussion in the government between ‑‑ it requires to be taken at the higher level of governance. I also think that there is a need to think in this discussions about the international dimension because today, which change in public policy for photography for cryptography would work if it's not coordinated at the international level? Which country could have a change or would increase regulation of crypto and operating international with all the benefits that had has today. If there is no coordination. I don't see a reason why the international dimension would not be as important as before today. It would be even more important given the level of globalization in which is our economy is going. I could ‑‑ I will just quote one point of the crypto guidelines which is the international corporation principles which says government should cooperation to coordinate cryptographic policies. As part of this effort, they should remove the policies and (inaudible) to trade. As a personal thought, I would tend to think that when governance stops to think in these terms, it shows the debate has reachd a mature point and I'm not sure where they are on this crypto 2.0. It will be interesting to see what we do when we review the crypto guidelines in 2017. Thank you. On
>> Bill Graham: Frank, you have a closing comment?
>> Frank Pace: I think that is where we find a platform to move forward in that and I think you look at the familiar industry and their efforts in encryption and looking at platforms because when we talk about trusted platforms Texists there.S financial industry would say there is no privacy without authentication and with that, those methodologies and platforms are being established. That may be a point to where we begin discussions or we include those parties in that and it does sound like we're getting somewhere.
>> Bill Graham: Mohammid, you have the last word.
>> Mohammid: I think the encryption we have night rue is a trusted platform. We don't need more when comes to users. We have key escrow implemented somewhere, 10 years back, we won't have seen the actions of Chelsea Manning and Edward Snodden. I don't think they would have succeeded in that.
>> Bill Graham: Thank you all for attending and for the excellent questions and for staying through to the end. Very much appreciate. I would like to suggest a round of applause. Thanks.
[APPLAUSE]