Aegis Paper Series

Encryption Policy and Its International Impacts: A Framework for Understanding Extraterritorial Ripple Effects

By Ryan Budish
Wednesday, May 2, 2018, 9:00 AM

Encryption technologies play a complicated role in today’s connected, mobile, data-driven world. My colleagues, Herbert Burkert and Urs Gasser, and I have written a paper offering a conceptual framework that can help policy-makers better understand and anticipate the international ramifications of domestic encryption policies.

There is no doubt that encryption has enabled our digital economy, securing everything from online commerce, financial transactions, connected devices, and more. At the same time, examples abound of concerns from law enforcement and intelligence agencies that encryption technologies are making it harder to address crime and terrorism. The 2016 battle between Apple and the FBI over the availability of essentially unbreakable encryption on consumer devices like the iPhone is perhaps the most public, but far from the only example of the complex challenges that encryption poses for for legislators, law enforcement agencies, national security agencies, and other policymakers.

In response to these technological and legal challenges, decisionmakers and leaders of all kinds—legislators, regulators, intelligence and law enforcement agencies, and companies—are increasingly faced with difficult decisions that ultimately have both direct and indirect impacts on the effectiveness and availability of encryption tools. For example, legislators might mandate the inclusion of so-called “backdoors” in consumer devices, regulators might only allow the government to purchase technologies that meet minimum levels of security, intelligence agencies might attempt to influence encryption technical standards in ways that are beneficial to intelligence gathering, and companies might make encryption a default in their products. Collectively, choices like these effectively define a country’s encryption “policy.” It is not one law or a regulation, but instead the cumulative impact of each (sometimes conflicting) decision that affects the availability and effectiveness of encryption technologies.

The challenge for such decisionmakers is that although the domestic impacts of such individual decisions are often intended and predictable, the international implications are often both unintentional and poorly understood. The purpose of this paper is to help policymakers better anticipate the numerous global ramifications, including those that can undermine the intent of the original policy.

The ripple effects of these domestically oriented choices can be political, economic, or technological (and often all three). Perhaps no example is more dramatic than the aftermath of Edward Snowden’s revelations of the U.S. government’s surveillance efforts. The political impacts included several new laws proposed and implemented across the European Union. The technological impacts included countries like Brazil moving from NSA-backed encryption standards to German or other non-American standards and the ISO’s recent rejection of NSA-backed standards. And the economic impacts included anywhere from $35 to $180 billion in lost revenue for American companies.

One reason why it is so difficult for decisionmakers to anticipate the international effects of their decisions is the complex pathways and relationships that any one choice might affect. These are numerous, and exhaustively listing them would impossible given the feedback loops that exist between international commerce, geopolitics, and technical developments. Below I list just seven of these pathways, which highlight just some of the ways that domestic choices can propagate beyond national boundaries:                                                           

  1. National encryption policy directly affects another country’s public policy.
  2. National encryption policy directly affects another country’s private sector.
  3. National encryption policy indirectly affects another country’s public policy through an impact on the domestic private sector.                                                  
  4. National encryption policy indirectly affects another country’s private sector through an impact on the domestic private sector.
  5. National encryption policy indirectly affects another country’s private sector through an impact on that country’s public policy.
  6. Private sector policies directly affect another country’s private sector.
  7. Private sector policies directly affect another country’s public policy.                                                                         

By using this framework, policymakers can engage in more informed decision-making by carefully and systematically thinking through the various instruments of encryption policy-making, the relationships and pathways those instruments can activate, and the range of effects that might emerge.