End-to-end to end? The lesson we need to learn from the encryption policy debate
The tech community needs to get better at engaging on policy it doesn’t like the look of. Otherwise, bad rules get made and we lose our…
The tech community needs to get better at engaging on policy it doesn’t like the look of. Otherwise, bad rules get made and we lose our seat at the policymaking table.
This week several leaked documents revealed EU policymakers’ plans to reconcile end-to-end encryption (E2EE) with the challenges of policing illegal online activity. Here’s an important note: this piece does not address the merits of the policy proposals or encryption. I want to convince you of something else: that the tech sector’s response to the leak illustrates that it has been poor at understanding how policymakers think. In turn, this leads to policy that is worse for the tech sector — and, probably, society.
In the encryption debate, like many, the tech community (and I speak as a member of it, at Form) is too quick to dive into the argument, telling policymakers why they are wrong and usually with a fair slug of derision. We rarely pause to say: what are policymakers trying to achieve, and are there better ways of getting there? Why is it that policymakers in the US (via the EARN IT Act) and the EU, two of the world’s largest economies, are ending up in a similar place?
The reality is that once policymakers propose reform, something will change. We may succeed in killing the particular solution on the table right now, but we haven’t killed their view of the problem or that a solution is needed. The one they come back with, we might like even less. This means the real question isn’t “how can we win the argument”? It’s “how can we get the best outcome from this process”? They have very different answers.
The usual story
The E2EE vs law enforcement debate illustrates the usual story. It starts with the tech community misreading the intention: rather than engaging with the legitimate concerns of policymakers — in this case around issues like child sexual exploitation — the rhetoric is simply to spit back that this is an invasion of rights to privacy and commercial enterprise. The point: they believe there is a problem, even if we don’t.
Next, there’s a tendency to misunderstand the authority: elected governments can, at the end of the day, do more or less what they want, whether we in the tech community like it or not. If they want to amend the kind of encryption that is allowed, they can. Shouting that they “have no right” is to conflate a view about what the government’s authority should be with what it currently is. The point: they can do it if they want — the trick is to stop them wanting to.
Third, we tend to deride the solution: we don’t just disagree with policymakers but mock them for not “getting” it, or failing to understand the way tech works. “You can’t have a backdoor and E2EE, idiots”! Twitter is awash with much worse. This might be true but it embarrasses and alienates policymakers and signals an unwillingness to engage. The point: feeling clever won’t help when bad policy gets made.
Finally, our story ends with getting what we don’t want: policy that is not made with the input and influence of the tech community. This is invariably worse for the tech sector’s commercial and ideological interests (and society) than when policy combines cutting edge technical understanding, a shared view of the problem and a realistic assessment of what can and can’t be achieved. The point: it’s the same ignorance we just scoffed at, but now on the statute books staring back at us.
A better ending
It is in the cold, hard, rational self-interest of the tech community to avoid this ending to the story. But it means changing the way we engage. How about we start by understanding the intention. In this case, policymakers are under huge pressure on online child exploitation in particular. They need solutions. The status quo is not politically sustainable.
Then we need to get real about the authority. If EU and member state policymakers want to make these changes, they can, and will. Benedict Evans got this spot on in this tweet when he said that “privacy is how you lose this argument every time”, because it implies that it’s up to private companies to decide, not elected policymakers. This is even more true in instances where policymakers feel it is a question of safety and the rule of law, as it is in the E2EE case.
Finally, if we get this far, we get to engage on the solution. The leaked documents actually make a point of inviting engagement with the tech sector — the door is explicitly open to expertise and influence. This open door also allows a broader conversation: maybe engineering expertise can show that a different solution is possible.
The result of this is much more likely to be an outcome we can live with: some version of policy that does enough for policymakers to feel they have done their job and allows them to face their electorate, while working better for tech than the outcome we don’t want.
Why this matters
The genie is out of the bottle on tech: policymakers want their say and they will have it. We are in the absolutely infancy of the relationship with many more issues to settle. It is far better for the commercial self-interest of the tech sector globally to engage constructively on the future of the economic system in which it will operate. Otherwise that policy will be made, just without the expertise and input of the tech community.
The author is a partner at Form Ventures, a UK-based seed VC fund backing startups in markets where regulation and policy play a big role. We draw on a combined 20+ years of venture and public policy experience to help founders navigate these complex issues.
Follow Leo on twitter for more on policy and venture.
Find out more about Form here, but most importantly, get in touch. We’d love to hear your questions, thoughts and challenges!