From private conversations through the likes of WhatsApp to confidential browsing histories through VPNs, encryption plays an integral role in our freedom of expression and privacy.
Yet, with ongoing government attempts to create “backdoors” into encryption services/products, many countries face severe restrictions when it comes to using apps and tools that utilize cryptography.
To find out where the heaviest restrictions are, our team of researchers has analyzed over 200 countries’ legislation to see:
- Which countries require manufacturers/sellers to get a license before producing or selling cryptography products/services
- Which countries have import and/or export restrictions on cryptography products/services
- Which countries don’t have a personal use exemption on travel with encrypted laptops
- Which countries place obligations on providers to hand over encryption keys for law enforcement purposes (factoring in whether a warrant is required for this)
- Which countries place obligations on end users to hand over encryption keys for law enforcement purposes (factoring in whether a warrant is required for this)
What did we find?
The vast majority of countries have some kind of restriction on encryption technologies, whether it’s import/export laws or law enforcement access to encrypted data. Severer restrictions are noted in places one might expect them, i.e. Russia and China, but heavy restrictions are also in place across many other countries, too. And with more and more legislation and investigative powers being introduced, restrictions are only set to increase in the coming months and years.
For example, while Brazil ranks as one of the “freer” countries due to its current legislation, this is in spite of attempts to impose further restrictions. Recent court orders have tried to block WhatsApp, and Facebook also faced a legal battle with the country due its lack of cooperation in a criminal investigation (which even resulted in the Vice President of Facebook being arrested).
In short, many countries may grant citizens the right to freedom of speech and privacy, but thwart this when it comes to encryption, citing national security and serious crimes as the reason.
Which countries require encryption providers to decrypt data for law enforcement purposes?
One of the biggest concerns when it comes to encryption is the access granted to law enforcement agencies, whether it be by decryption key or a requirement for providers to decrypt the data for them.
As the below map shows, a large number of countries have at least some potential access to providers’ encryption keys.
A handful of countries, including China and Russia, have unprecedented access to decrypted data. In Russia, for example, the Sistema Operativno-Rozysknykh Meropriyatii (SORM — the System for Operational-Investigative Activities) gives the Russian federal security service, the FSB, access to electronic messages and the keys to decrypt these without judicial authorization.
Many European, Asian, and African countries, as well as the United States, have laws that enable law enforcement to request providers hand over encryption keys and/or decrypt data.
In the United Kingdom, a number of laws grant law enforcement the right to request encryption technologies be removed on various communications. Section 49 of the Regulation of Investigatory Powers Act 2000 states that when protected information is in the possession of law enforcement, they can, with written permission from a judge, impose a disclosure requirement for data to be produced in intelligible form. Law enforcement must have reasonable grounds that someone possesses the key to the protected information, that disclosure is necessary for national security, detecting/preventing a crime, or that it is in the interest of the UK’s economic well-being, that disclosure is proportionate to what’s sought to be achieved, and that disclosure isn’t possible without imposing the order.
In the United States, Section 103(a) the Communications Assistance for Law Enforcement Act of 1994 suggests that communications providers must ensure intercept capabilities when issued with court orders or other such lawful authorization. However, “A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.”
Most laws carry the same power as that of the United States, placing requirements on providers to decrypt any data that they have encrypted themselves but not data that is encrypted by other providers or the users themselves.
A number of other countries impose ambiguous laws that provide the potential for law enforcement to request the disclosure of encrypted information – or laws have been interpreted in such a way. For instance, in the European Union, the Council Resolution of 17 January 1995 on the Lawful Interception of Telecommunications offers some guidance on the laws that should have been implemented in EU countries.
The resolution states that “If network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en clair.” En clair means “in plain language” and can therefore be interpreted to mean decrypted.
Which countries require encryption users to decrypt data for law enforcement purposes?
It’s a similar picture when we look at law enforcement powers to request decryption keys or decrypted data from users of encrypted services/products.
The laws tend to cover communications or access to computers, requiring those in possession of a key to hand it over to law enforcement upon request or to aid them in the decryption process.
Again, some countries don’t have specific laws but do have ambiguous laws in place. In other cases, countries may rely more heavily upon service providers to hand over the data, i.e. in the United States where no law explicitly provides law enforcement the power to request users hand over decrypted data/keys.
Ultimately, getting “backdoor” access to encryption providers’ data is the easiest way to access encrypted data, which is why a worrying number of countries are trying to implement such measures. This includes:
- India’s ongoing battle with WhatsApp
- Brazil’s recent court orders to try and block WhatsApp and current Fake News bill which is attempting to break end-to-end encryption
- United States’ bill for backdoor access to encrypted data (submitted to Congress in June 2020).
Which countries require licenses for producing or manufacturing encryption services/products?
A large number of African, Middle Eastern, and Asian countries have sweeping licensing requirements. This means the majority of sellers or manufacturers of cryptography products must obtain a license before distributing. France also has such a requirement with any person who wishes to provide cryptography services having to declare so to the Prime Minister.
Some countries, e.g. Turkey, Ethiopia, Tunisia, and Mali, have some licensing requirements but don’t require all providers of cryptography services to obtain a license. For example, in Tunisia, any business importing cryptography products for its own personal use (or temporary use) doesn’t require a license.
A number of countries have also enacted laws that enable the relevant ministries to create licensing requirements for cryptogrpahy services but don’t appear to have put anything into place as of yet. This includes the Bahamas and Barbados.
Which countries have import/export limitations for cryptography services/products?
A far greater number of countries have some kind of limits when it comes to importing and/or exporting cryptography products (or products that contain cryptography but aren’t solely for encryption purposes). In most cases, this requires a business to register their company and product with the designated agency within the country they’re importing to or exporting from. This may also include some technical specifications.
Quite a few countries with large-scale requirements for cryptography licenses also pose severe restrictions on the import and export of these products.
For example, for countries within the Eurasian Economic Union (EAEU) — Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia — an import/export license, permit, and registration of notification is required and various things are also analyzed, including a list of cryptographic algorithms, the maximum key length, a list of implementing protocols, how the encryption is employed, what type of data is encrypted, and how the data is encrypted.
The vast majority of countries with customs laws restrict exports of cryptography products and/or limit imports from designated countries. A large number are part of the Wassenaar Agreement (for a full list, see the methodology section) and/or are governed by EU law. Those who have signed up to the Wassenaar Agreement:
- Have agreed to maintain national export controls on certain items, i.e. cryptography services
- Have agreed to report on transfers and denials of specified controlled items to destinations outside the Arrangement
- Exchange information on sensitive dual-use goods and technologies
Again, a number of countries have laws in place that will enable them to create import/export requirements for cryptography products but don’t appear to have put anything in place as of yet.
Which countries don’t have a “personal use exemption” for those traveling with encrypted laptops?
As well as imposing import/export restrictions on businesses offering encryption services, some countries also have clear restrictions for those traveling with encrypted laptops. In contrast, some of the countries that are part of the Wassenaar Agreement offer travelers a “personal use exemption.”
Please note: While clear restrictions/exemptions are offered in the above countries, travel to other countries may or may not be restricted. It is always best to check with the country you’re traveling to beforehand, regardless of whether or not they’re part of an agreement.
Methodology
To determine the laws in place across each category, we have analyzed various pieces of legislation in each country. This includes Criminal Procedure Codes, laws on Cybercrime, Communication/Telecommunication Acts, Interception/Surveillance Acts, and any other relevant decrees, acts, laws, or resolutions.
We have focused solely on legislative powers/orders and those that primarily affect communications providers, internet service providers, or data stored on/accessed through computers.
A country may not have such legislation or may appear to have protections in place, but the picture may be different in practice. However, to avoid being subjective in our results, we have only used what is “legally” permitted within each country. As mentioned, we have also looked at legislation that can be interpreted to cover encryption, even if it doesn’t mention it specifically. In these cases, we have looked for ambiguous wording, such as requirements to make data “intelligible” or we have found examples of telecommunications providers, i.e. Vodafone, interpreting the law to suggest they believe law enforcement could request they decrypt data within the country.
Where nothing has been found, we have omitted the country from the results. The lack of legislation could suggest that there are no restrictions/law enforcement powers, but for accuracy, we haven’t included these countries.
Sources
For a full list of sources, please visit our spreadsheet: https://docs.google.com/spreadsheets/d/1dcPIqWYJ5fe0HY6pCbWixTi6B9U9yX7FLURBbko5d1g/edit?usp=sharing