July 11, 2017
The right to use strong encryption technology—like the encryption that secures your iPhone or protects your WhatsApp messages—isn’t only under political attack in the U.S. Governments in the U.K., Germany, France, and other European countries have recently taken steps toward undermining encryption. Although these local debates have engaged a wide range of policymakers, privacy advocates, and internet companies, they’ve been taking place largely in isolation from one another, with limited sharing of information, arguments, and advocacy tactics between those countries’ policy communities. That’s why OTI has begun a series of papers that will fill in some of those gaps by recounting the legal landscape and most recent political rhetoric around encryption in various European capitals. Today we are releasing the second paper in our series, focused on the crypto debate in Germany. Our first paper, on the United Kingdom, is available here. Our third paper, on France, will be out in the coming weeks.
Germany has, by far, the most pro-crypto government policy of the countries we studied. Their support of strong cryptography goes back at least as far as 1991, when their cryptanalysis group separated from the BND (the German Federal Intelligence Agency) to become the Federal Office for Information Security. Since then, the German government has repeatedly affirmed its support for widespread use of strong encryption. Mirroring the conclusion of the original Crypto Wars in the U.S. during the 90s, the German government in 1999 chose to oppose bans or limitations on encryption and instead encourage its development, while explicitly calling for other technical means to address the challenges posed to law enforcement by encryption. More recently, the government’s Digital Agenda for 2014-2017 concluded that “encryption of private communication must be adopted as standard across the board,” and the 2015 Charter to Strengthen Trusted Communications also strongly supported development of and access to unlimited encryption technology. Consistent with these positions, the government has even gone so far as to directly support the use of end-to-end encryption of email through Germany’s “De-Mail” system.
As we're seeing in other countries around the world, however, Germany’s dedication to encryption could be showing cracks. Most obviously, Germany’s interior minister, Thomas de Maizière, has been calling for action against encrypted services in the wake of increased terror attacks throughout Europe. In 2015 he called for the ability to “decrypt or bypass encryption” and in 2016 he joined his French counterpart in a letter to the European Union proposing an EU-wide directive that would instruct companies to decrypt messages on their services. However, it is unclear whether this indicates a broader shift in German policy, just as former FBI director Comey pressing the issue in the U.S. did not necessarily reflect a broader consensus in other relevant agencies or in the White House.
While supporting the use of encryption, the German government has also leaned heavily into expanding its budget and legal authority to use hacking as an investigative tool to circumvent that encryption, a strategy best illustrated in the government’s 2016 cybersecurity policy which called out Germany’s twin desires for “security through encryption” and “security despite encryption.” This approach has led to a relatively robust but still-contested legal regime surrounding hacking that is broadly protective of people’s privacy on their devices. The German Constitutional Court early on held that people have a strong privacy interest in their digital devices that provides substantial constitutional protection against searching the entirety of a device’s data. Despite these restrictions, German law enforcement has pushed back in a variety of ways, developing new legal theories and just last month obtaining significant expansion of their hacking authority through worrisome new legislation.
OTI came away with six major lessons from our analysis of the intersection of Germany’s encryption policy and hacking legal structure aimed at pro-crypto advocates both inside and outside Germany:
Germany is relatively receptive to privacy-based arguments around encryption. The absence of encryption backdoors, compulsory key disclosure, or mandatory decryption laws is a direct consequence of Germany’s unique conception of privacy, strongly informed by its Nazi history and East Germany’s experiences under Stasi surveillance. Germany seems much more open to privacy-based arguments around encryption than the U.K., France, and even the U.S. Germany shows that a strong conception of privacy can weather even the persistent security threats that Europe faces today.
Germany is also very open to economic and cybersecurity arguments in favor of encryption. Germany has long prided itself on being a global industrial leader, and as reflected in the federal government’s Digital Agenda 2014-2017 white paper, it intends to maintain its role as a digital leader as well. Post-Snowden concern about foreign intelligence agencies—as well as concern about economic espionage—has also been a strong driver for encryption adoption. Germany provides a model for how other governments could sensibly approach encryption.
Government offices and agencies that are focused on privacy, security, and commerce can successfully counter law enforcement agencies’ call for backdoors. Just as in the U.S. in the past years, government watchdogs and regulatory bodies in Germany—particularly its data protection authorities, at both the federal and state levels—have vocally supported encryption. This growing and multifarious body of sentiment across the different parts of government helps to ensure that even when law enforcement officials go against broader government policy and start agitating around backdoors—whether it’s the U.S. FBI director or Germany’s interior minister—their impact is limited.
Lawful hacking can be a political and practically workable alternative to backdoors, but raises its own privacy and security challenges. Germany’s growing focus on investigative hacking, both in terms of clarifying legal authority and increasing budgetary resources, demonstrates how such a focus can take pressure off the encryption debate and facilitate a move away from discussion of backdoors.Targeted hacking of particular suspects using existing vulnerabilities is, on balance, much better from a privacy and security perspective than mandating backdoors. However, such a change in focus brings a new challenge and opportunity: to leverage the encryption-prompted conversation around government hacking to strengthen regulation of the practice and make it as rights-respecting as possible, rather than foster unrestrained expansion of the practice in ways that could harm privacy and security. (Notably, OTI is currently participating in a multikstakeholder U.S./German project that is considering this issue, the Transatlantic Cyber Forum, and just this week OTI is hosting a private convening of that group to collaboratively consider appropriate legal frameworks for government hacking.)
A strong culture of “hacktivism” and hacker collectives can bring much-needed publicity and technical expertise to issues of encryption and government hacking. While still nascent, the digital rights NGO scene in Berlin is quickly growing and evolving. Helping the encryption cause in Germany even before those groups, however is its long-running and robust subculture of hacker collectives such as the world-famous Chaos Computer Club, which plays a key role in publicizing and explaining key aspects of the German government’s surveillance and hacking operations. For example, the first revelations of government hacking in Germany arose from a series of investigations by Chaos Computer Club in 2006-07. America’s broad community of information security experts from academia and industry has played a similarly vocal role in the U.S. debate, but France and the U.K. have unfortunately not benefited from the same level of technical engagement and expertise.
U.S./German alignment on encryption may help counter the U.K./French trend against encryption. Since Germany is easily the most pro-encryption environment of the three European countries surveyed, it is important to consider how U.S. and German policymakers and advocates who are pro-encryption might best collaborate on the issue to counter the British and French push toward backdoors, and invest resources accordingly. Any such collaboration must also focus on aggressively countering any moves against encryption in Germany, by the interior minister or otherwise, so that this strategically critical pro-encryption bulwark remains as a strong example for other European nations.