By Scott Shackelford, Eric Richards, Anjanette Raymond, Jackie Kerr, and Andreas Kuehn
How should the Internet be governed? What role should governments play? What about the private sector? Does it still make sense—as it did in 1998 when it was created—for a now untethered non-profit corporation based in California called the Internet Corporation for Assigned Names and Numbers (ICANN) to be responsible for managing the Domain Name System (DNS), which matches IP addresses with website names? Would your answer change if you were a resident of New Delhi, or Beijing?
From net neutrality to privacy, encryption, and the proper role for governments in securing critical infrastructure, Internet governance is a multi-faceted field with an increasing number of power centers shaping myriad global cybersecurity debates. Recently, in the wake of the 2015-16 Apple encryption saga touched off by the FBI’s request to unlock the iPhone of one of the San Bernardino shooters, the role of the private sector vis-à-vis states has enjoyed renewed attention at a time when the prevailing multi-stakeholder approach – incorporating a variety of non-governmental actors in an open and participative polycentric governance process – has come under strain. This reexamination is a continuation of the global debate following revelations by former NSA-contractor Edward Snowden, prompting a reassessment of the benefits and drawbacks of the current state of Internet governance and what role international law and institutions should play in crafting twenty-first century cyberspace.
Nations around the world are approaching the encryption debate in various ways dependent on their own unique cultural traditions and security posture. Our new paper, “iGovernance: The Future of Multi-Stakeholder Internet Governance in the Wake of the Apple Encryption Saga,” considers some of these approaches—including the U.S., European Union, India, Russia, and China—in an attempt to find areas of convergence and divergence that could give rise to norm building opportunities.
As we show, states around the world are taking divergent approaches to bottom-up and top-down cybersecurity policymaking. At one extreme is Russia. For example, a 2016 Russian law known as the “Yarovaya Law” after the United Russia Duma deputy, Irina Yarovaya, who co-sponsored it permits the Russian government to decrypt encrypted network traffic. A new administrative statute also prohibits the use of “uncertified means of coding [e.g., encryption] for the transmission of messages on the Internet[,]” thus laying the groundwork to restrict acceptable means of encryption to only those for which Russian intelligence possesses means of decryption. Noncompliant firms face stiff fines of up to 1 million rubles ($15,500). Even individuals who transmit messages using uncertified encryption tools could be fined up to 40,000 rubles ($615).
China, like Russia, has moved towards stricter control over encryption, but it has stepped back from some of the more extreme proposals as seen in the Yarovaya Law. The new antiterrorism law passed by China’s Parliament in December 2015 ostensibly aims to prevent terror attacks by increasing government access to digital communications, but the draft law’s requirements were significantly diluted before passage following extensive criticism from foreign companies and governments. It requires that telecom operators and Internet firms help the government decrypt data, but it does not require the turnover of encryption keys, government inspection of encryption system code, or the local storage of data – provisions that had been previously proposed (and most of which are included in the new Russian law). Under this law, telecoms and Internet companies have to provide “technical interfaces, decryption and other technical support assistance to public security organs and state security organs conducting prevention and investigation of terrorist activities in accordance with law.” Chinese authorities must likewise be able to carry out surveillance on all services, including encrypted communications.
As the U.S. Congress considers the appropriate role for the federal government in the encryption debate, policymakers should be mindful of the impact of their actions both within and beyond the United States. To date, the U.S. and Europe are on one side of an Internet governance spectrum favoring the multi-stakeholder status quo with India in the middle, followed by China, and Russia undertaking the most state-centric approach to both Internet governance generally and encryption specifically. While policy options for regulating encryption are country specific, it is clear that a wide menu of possibilities exists ranging from the EU Parliament and Silicon Valley’s championing of encryption technology to Russia’s attempts to neuter the technology. If the U.S. government were to require encryption backdoors or for companies to provide “technical assistance” to law enforcement, for example, then this could undermine the efforts of encryption advocates around the world. Indeed, such a policy could lead to a norm cascade toward greater government involvement in cyberspace, thus undermining the multi-stakeholder approach that the U.S. government has long promoted.
In other words, given that the United States remains a leading cyber power, U.S. encryption policy may well be mirrored back; we have to be comfortable with the reflection.