Lawfare, Tuesday, June 28, 2016, 12:26 PM
In the digital age, data is currency and information is the energy that drives the 21st century economy. Today, 46.1 percent of the world’s population is online. These 3.4 billion Internet users collectively generate a significant amount of commercial and personal data that can be stored, collated, and analyzed. This data is the lifeline that charts users’ online identities: it can also be monetized by Internet service providers, social media platforms, and end user applications. As a necessary corollary, control over data and the flow of information has become highly politicized. One who controls this data retains the power to shape the global geopolitical order.
Data is intrinsically valuable. Data grants access to an individual’s online activity, lifestyle choices, consumption patterns and so on. It is for this reason that states have been vying to gain access to vast amounts of data either through legal mechanisms or surreptitiously. It is also the backdrop for the evolving global norms around encryption. In many ways, this conversation is reminiscent of the adage of energy politics of the 20th century: he who controls the oil controls the world. There is, however, one central difference: today, every Internet user is the owner of an unending oil field and every Internet non-user is sitting on a potential reserve.
Despite of the Internet being touted as a great “equalizer,” these global conversations are often skewed in favor of the countries that generate data or possess the technological capability to access it. The encryption debate in countries with advanced technical capacities is very different from the countries without them. Until recently, countries with strong technical capabilities were also the most ardent advocates of encryption. This approach was fueled by the belief that the state’s interception capability would always outpace the individual’s encryption capability. Increasingly, this notion is proving to be false. Even the United States realizes that impenetrable encryption could wrest control of data from the hands of the state. It is this insecurity that is causing the pitched battle between Silicon Valley’s encryption evangelists and U.S. law enforcement officials. This insecurity, however, is not unique to the West. Governments in Asia and Africa also drive their own encryption debates out of a fear of losing control over the social order and their capability to monitor their citizens. At the same time, these issues’ importance is also accentuated by the looming threat that their countries’ data will be gathered, stored, and exploited across oceans in another continent.
Cyber diplomacy and geopolitics in these nations is therefore determined by the need to retain control over information emanating from within their countries and the anxiety of this data’s potential misuse by actors outside their borders. As with the conversations around the erstwhile frontier technologies in the nuclear and space domain, this too has a strategic dimension. Unfortunately, these strategic necessities are often responsible for constraining the development of privacy and data protection norms governing the Internet. States insist on perceiving the control of data as a zero sum game. Encryption is perhaps the centerpiece of the falsely dichotomous conversation around security and human rights. Encryption, however, must fundamentally be about human rights.
Encryption is an idea that is grounded in the principles of data integrity and data ownership. The right to encrypt communications is central to the autonomy that we offer all citizens over their own data and who can use, analyze, and access that data and under what conditions. This right automatically grants them the opportunity of determining who can commercially exploit their data. While most of us are comfortable exchanging our personal data for services over the Internet, this decision does not automatically nullify our right to choose how our personal data is used. Naturally, this autonomy must be subject to certain exceptions for law enforcement purposes. However, these exceptions must be considered, pragmatic, and mindful of the human rights imperative. They must not be driven by paranoia and the need for absolute control.
Another noteworthy dimension in this debate is the commercial opportunity that encryption presents. Encryption technology is big business. If data is the new currency then encryption solutions are the new Swiss banks and the market leaders in the tech space like Apple, Facebook and Google are all vying for recognition as “digital Swiss banks.” They are cognizant of the need to protect data, but equally conscious of its commercial value. While they refuse encrypted information to law enforcement agencies, apps and platforms in Google and Apple’s ecosystems innovate and thrive on the availability of big data. It is not public policy that is driving this harvest of data. It is, ironically, the “privacy policies” of major players. Across the pond, European regulators have failed to distinguish the false choice between public and private data with potentially negative consequences for innovation. Indeed, European Internet providers have themselves demanded that privacy norms reflect the need to innovate digitally.
All this is not to question the assumption that the state constantly seeks to monitor digital networks. But the growing trend towards protecting data from the prying eyes of the state poses another important question: is encryption the end of innovation? Increasing law enforcement requests for data retrieval and the myriad ways in which the state collects data en masse are leaving the private sector apprehensive of collecting big data that they may later be required to give up. While this may sound good prima facie, it has a serious downside. Without access to data, the private sector has no means to innovate and tailor their products to the market. The boom in the app economy was fueled largely by creating markets for products and services based on data analysis. Is it possible that the ubiquity of that very data is foretelling the collapse of the market that trades in information?
Ultimately, the debate on encryption must keep three vertices in focus: law enforcement, data privacy, and innovation. The legal standards around data protection and surveillance may vary across jurisdictions—as will the ability of start-ups to innovate—but any policy measures on encryption must arrive at a floating median between these three indicators.