Every time a government passes a law that affects the Internet, tech companies must ask themselves a critical question: can they still properly provide their services while protecting user privacy under the new rules?
For companies operating in countries pursuing anti-privacy legislation, the answer is increasingly scary from both a user and corporate perspective.
That’s because anti-privacy laws often try to accomplish their goals by breaking or bypassing encryption – arguably the strongest and most widely available form of privacy and security in our digital age. Weakening encryption makes people and nations around the world more vulnerable to harm online.
But governments around the world that pass anti-privacy legislation are incurring unplanned costs that go beyond the chilling effects of lessened privacy for their citizenry.
Laws that attack encryption and privacy stifle their local tech industry and tarnish their reputation internationally, both of which are detrimental to their own economy.
To uphold the privacy and security of their users, some companies actually end up physically exiting a region and relocating servers – rather than weakening their service. This is something that the VPN company I work for, Private Internet Access, has done multiple times with the most recent example being in Hong Kong.
The Hong Kong Example
The imposition of a new national security law in Hong Kong has granted law enforcement the writ to seize servers located in Hong Kong without a warrant and otherwise execute warrantless interception of online communications. As a result, Private Internet Access stopped hosting servers in the physical jurisdiction of Hong Kong because doing so would represent a privacy risk to our users. Though our no-log policy and secure setup are designed to protect our users even in the event a server is seized, we felt we were unable to offer a Hong Kong-based VPN gateway that maintains the exemplary level of privacy and security we demand for our users. To be clear, Internet users in Hong Kong may use our service, we just can’t physically host an exit gateway in Hong Kong given the current laws in effect.
Private Internet Access isn’t the only tech company that has had to react quickly to the new anti-privacy laws in Hong Kong. Reactions ranged from companies like Zoom, Microsoft, Facebook, Google, and Twitter announcing that they would stop processing data requests from Hong Kong law enforcement, to other companies that have also removed their servers and ended existing business relationships in Hong Kong.
These government attacks on privacy and encryption may seem a whole other world away, but there is likely a battlefield to be found in your home country. Several governments worldwide have either passed or are considering laws that would change the legal playing field in which tech companies operate.
Legislation targeting encryption or encrypted data is an attack on privacy.
There are four general types of anti-privacy laws targeted at encryption or encrypted data emerging around the world: warrantless access, mandatory logs, mandatory man-in-the-middle access, and mandatory backdoors. Here’s how the security of people and businesses at risk.
- When a government has granted itself the power to go into any data center located on its sovereign soil and seize servers, such as in Hong Kong, they are able to access any unencrypted data on those servers.
- When a government has mandated that data centers and Internet service providers retain Internet activity logs or connection records, they’ve saved the metadata for future analysis and use.
- With mandatory man-in-the-middle access and with warrantless server access, governments are put in the privileged position to execute attacks on encrypted data by any means, including the use of unpatched vulnerabilities known as “zero-days.”
- Mandatory backdoors force companies using encryption to add backdoors that allow governments access to encrypted data, but in doing so make their customers vulnerable to criminals and other bad actors because there’s no such thing as a backdoor that only the government can access.
The new national security law in Hong Kong provides for warrantless access to servers. Yet, this is also a threat in countries without laws permitting it.
For instance, Private Internet Access has previously physically left countries such as Russia and South Korea for that very reason. Legislation requiring mandatory Internet logs to be stored at the ISP or data center level is something that has passed in countries like Australia, Russia, and the United Kingdom. Germany is the latest country to legislate for mandatory man-in-the-middle access for its law enforcement while countries like the United States and India have been pushing for mandatory encryption backdoors. The list goes on and on.
Regulations targeting encryption are not the only types of proposed legislation that create unfavorable legal environments for Internet companies to thrive. There are many others that have legal experts on edge for their potential impact on the customer privacy and security.
When such laws are passed, tech companies face difficult choices. Governments around the world need to realize that attacking encryption not only damages civil liberties but also has real economic impacts – something that should make any self-interested government wary. After all, other legislation like trade agreements take so long to negotiate because of the acknowledged drastic economic impact. Despite this logical framework, technology and the Internet seems to be the one area in which governments legislate without regard for the potential economic impact.
Strong encryption practices are critical to the development of national economies worldwide. With the growing importance of the tech industry in every country’s economy, governments must support end-to-end encryption to ensure they don’t legislate away their competitive edge.
Image by Markus Spiske via Unsplash
Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.