Encryption – Anything to Declare?
Encryption is a great tool for reducing risks of the loss and interception of data. Encryption technology it has become increasingly deployable and powerful and is commercially available to all. National government security agencies now have cause for concern about its effects upon their collection capabilities. Many countries have laws in place that restrict encryption inside of their national territory. This is something which international travellers and companies with businesses abroad need to take careful note of.
I’ve been writing a series of articles to share my experiences of working as a data security officer in the British government. My theme is: there are that lessons learnt from the government sector are readily transportable to the private sector. Also, that the different security approaches of the two sectors have lessened throughout the quarter century I was on the government security scene.
Encryption was no exception. Some years ago, I was forwarded a letter from a math graduate. She wanted to know more about how the British government used encryption. Her letter ended up on my desk because no-one else in the government – certainly not the security and intelligence services – wanted to correspond with a member of the public about something so secret. I recall that the graduate clearly assumed that encryption was pretty much a government exclusive, so I was left to think of some helpful things to say to her without giving away sensitive information.
In fact, even then there was quite a lot of technical, open source information and I was able to quote a text book or two. I also fixed her up for a visit to the former government code-breaking center at Bletchley Park (now the ‘National Codes Centre’; it was not then open to the public). Lastly I dug out some references to some historical cypher used by English government agents in the sixteenth century.
I don’t know how helpful all of that this was to the graduate’s work but there would be a lot more open source material now. Yet data encryption is still a sensitive subject with governments. So far as the United States is concerned, strong encryption is regarded as a weapon since “during wartime, the ability to intercept and decipher enemy communications is crucial”. Other countries have varied approaches. Some hardly seem conscious of it while others make its export (if not use) an offense.
It’s the export of encrypted data that I’d like to concentrate here, because even commercially available encryption used by private sector companies and individuals might give data owners a problem when it crosses national boundaries. Visitors to foreign countries usually understand that things done in their own country can constitute a criminal activity in another. Respect for local (and national) laws is emphasised in State Department travel advice. For business people and anyone else who quite reasonably wants to protect their private data, having encrypted material in any form is worth putting on that travel list.
This point first came up for me when it became necessary for our staff to travel regularly to Europe with British government data. Though Europe constitutes a friendly operating environment, our risk assessments clearly pointed up a need for basic data encryption in case of loss or theft. However, we quickly learnt that some of our EU partners had state laws that restricted data encryption.
As I said in my article A Security Officer’s Playbook governments fear embarrassment above many things. The British government always seemed to me to have a particular fear of any unsought friction with foreign government, whether friendly or not. Before the time of more open European borders, I recall how we were prohibited from any kind of direct communications with foreign authorities without first consulting the UK equivalent of the State Department. The British government’s own Protective Makings Scheme seemed to echo this overriding concern: the definitions from its four classification levels each began with a rating of any damage that disclosure of the information might cause to foreign relations.
France in particular seemed to have strict laws about using encryption. That was of particular concern to us, given the increasing need for cross-border working with the French government in sensitive areas such as justice and immigration. This became a particular necessity following the 1994 opening of the Channel Tunnel, Britain’s first land border crossing. Travel between Britain and the European continent increased dramatically (20 million Tunnel passengers during 2012). And a land border required greater face to face co-operation between national governments, whose laws about protecting information had evolved separately. So the model of having the British Foreign Office use its expertise to handle all day to day affairs with other governments was unsustainable.
The real risk was not so much about the loss of low level government information inside of another country, since the countermeasure provided by encryption would cover that. Instead, our main effort was spent in countering the risks that our encryption countermeasures themselves could be regarded as illegal by our allies!
What made this very tricky to solve was the obvious language barriers, alongside an inhibition about treating directly with foreign governments. To this I could add some false trails, based on incomplete research into existing legal issues around encryption. Finally a general fear that, in moving to solve the problem, we could actually be making a horrible amount of work for ourselves – and others – that was disproportionate.
Turning to that false trail first. The Wassenaar Arrangement seemed a promising start. It mentioned encryption in the context of information security and seemed to lay down some useful provisions for the export of encryption technology. But the main purpose of this broad international treaty is arms proliferation. As I have said, some countries (the US included) regard encryption as a weapon. And the Wassenaar Arrangement was not, as I think some of us wishfully hoped, an enabler for us to use encryption in the lands of our friends and allies. At best, it would just ensure that taking some encryption material into the signatory countries was not an offense. But this could still be trumped by other national laws that could, say, prohibit the servants of foreign governments from using data encryption. Clearly this was not the framework upon which security officers could with confidence write instructions for our civil servants about the correct and legal use of data encryption abroad.
In the absence of an easy solution, the most safe and compliant alternative would have been to require all sensitive data to be processed inside of British diplomatic premises. But that was not a practical option, given the increased working between our civil servants and their European colleagues. In any case, the assumption of a safe haven for information inside of a national boundary was crumbling in the face of growing data portability. The normalization of effective and fully mobile technologies was putting great pressure upon the security department to agree working solutions that enabled the government to use the same methods as everyone else. So it was clear that our solution was not going to be based on any rules last affirmed in the 1960s about the inviolability of diplomatic premises and of diplomatic communications.
The solution to this knotty problem was neither easy nor technical in nature. It just involved a lot of dedicated work. A colleague with the patience – and, frankly, courage – to enter the Byzantine world of diplomatic niceties eventually got an understanding person from the diplomatic service to undertake the necessary conversations (in another language) with our opposite numbers on the opposite side of the English Channel. Eventually, and after much hard work, this resulted in the drawing up of a series of mini international treaties with the EU countries we needed to take our encrypted data into. Having international draft treaties on my desk was a memorable point in my job as a security officer. As I have said before, it can take you into scenarios that you would never have put in your job description. It would have been more satisfying to have signed these treaties myself, but I recall that was above my pay-grade.
So how might all of this help you? I have detailed one process for steering around encryption export procedures that worked, just to show how seriously the subject can be taken by national governments. Also, how much effort is needed to ensure government data is not compromised through any (embarrassing) failure to observe diplomatic niceties. It is against that background that I would advise you to assess the risks if you do need to carry encrypted data across national boundaries. If you propose to do so with any government material, then you should ensure that your contracts make provision for this. Otherwise there is a risk that the matter might simply have been overlooked (as you can see, it can be complex to resolve). And that is a good enough reason to raise the issue with the government owners of the data you are exporting.
If you are not proposing to carry government data then your organization should have plans of its own for managing the risks of data encryption that is to be used/carried across national frontiers by your staff. A good start would be to ensure that the national laws of every country that you do business with are checked in advance. That might sound intimidating, but remember that not all governments have strong views on your encrypted data and many are unlikely to have a problem in store for you. To help you assess this, there is a very useful resource for making a preliminary check. See the Homepage of Bert-Jaap Koops, who is Professor at the Tilburg Institute for Law, Technology, and Society (TILT) in the Netherlands. Professor Koops maintains a worldwide Crypto Law Survey, and has put together a very accessible set of open source information about the import, export and domestic encryption controls. His resources do include a disclaimer that they have no legal status, but security managers will find here an excellent roadmap for carrying any sort of data encryption into another country.
The Cloud on the Horizon
I see a new encryption challenge on the horizon in the form of Cloud technology. Even if you never intend to carry or transmit data to other countries, you should bear in mind that security issues around the Cloud have still to be worked through and that some of the issues around liability in particular are still unclear and/or have yet to be tested. So for instance, if a Cloud provider offers to protect your information with encryption, there might be some legal issues to cross depending upon which country the data comes to rest in, and through which countries the data might pass on its journey between you and your Cloud provider. These will of course be for the Cloud providers to take the lead in, but if you are storing particularly sensitive information in the Cloud then you might want to examine the fine print about the protection afforded to your data against any future legal action.
Getting assurance on legal matters like encryption can be complex, especially when encrypted data or materials have to pass through the hands of foreign governments. Removing risks completely is no more achievable in the case of legal compliance and, once again, sensible risk management is the answer. For the most sensitive information, risk avoidance should be a serious consideration. But if you are fortunate enough to have security staff who do not mind getting down into the weeds with unfamiliar legal issues, then your chances of managing the risks successfully will be greatly increased.