WHEREAS, the use of user and provider-controlled forms of strong encryption applied to communications in transmission and to data storage devices, although simultaneously serving to help prevent certain types of crimes and preserve privacy, has also, with increased frequency, been implemented in such a manner as to significantly degrade the ability of law enforcement worldwide to detect and prevent serious crime before it occurs, as well as inhibit the identification of those responsible for crimes already committed; and

WHEREAS, the expanding implementation of user-only access encryption, in addition to enhancing privacy generally, is also specifically facilitating criminal activity worldwide by ensuring that evidence of crime is beyond the reach of law enforcement despite compliance with legal requirements that authorize the lawful seizure and use of such evidence and information in accordance with the applicable laws of each nation; and

WHEREAS, the expanding implementation of user-only access encryption may be seen by some in the industry as a means of plausibly denying knowledge of and responsibility for the use of their services or devices by criminals, terrorists, and spies so as to potentially obviate any legal obligation to stop or mitigate such harms; and

WHEREAS, it is recognized that providers who implement end-to-end encryption are also under economic pressure to compete with other international providers on a level playing field and that, currently, few governments mandate lawful access to encrypted information in an intelligible format thereby arguably placing those industry providers that voluntarily implement lawful access capabilities at a competitive disadvantage; and

WHEREAS, it is recognized that no one technological solution or process is likely to resolve the myriad of technical applications of encryption and that industry providers are in the best position to determine for each application a workable solution that meets their needs and the needs of their customers while still maintaining lawful access to encrypted information upon due process of law; and

WHEREAS, the IACP has previously noted in its Resolution of November 10, 2010, entitled “Address the Growing Electronic Surveillance Capability Gap” that advances in telecommunications technologies are creating a lawful access capability gap that should be addressed by remedial legislation in the United States to update the Communications Assistance for Law Enforcement Act of 1994 (CALEA); and

WHEREAS, the United States Attorney General, the United Kingdom Secretary of State for the Home Department, the United States Secretary of Homeland Security (acting) and the Australian Minister for Home Affairs, in an open letter dated 4 October 2019 to the Chief Executive Officer of Facebook, called upon Facebook and other companies to: embed the safety of the public in system designs, thereby enabling you to continue to act against illegal content effectively with no reduction to safety, and facilitating the prosecution of offenders and safeguarding victims; and enable law enforcement to obtain lawful access to content in a readable and usable format. Now, therefore, be it

RESOLVED, that the IACP strongly urges all world governments to adopt appropriate regulation or legislation that will compel industry providers to responsibly implement for themselves encryption technologies in a manner that maintains reasonable privacy protections for individuals while securely and timely permitting lawful access to communications and communication-related information in transmission, as well as other information in digital storage, and in an intelligible format pursuant to the legal requirements of each nation and due process of law.

Submitted by: Police Investigative Operations Committee and Computer Crimes & Digital Evidence Committee

PIO.23.19