The Economic Impact of Laws that Weaken Encryption

G. Barker, W. Lehr, M. Loney, D. Sicker
{"title":"The Economic Impact of Laws that Weaken Encryption","authors":"G. Barker, W. Lehr, M. Loney, D. Sicker","doi":"10.2139/ssrn.3866902","DOIUrl":null,"url":null,"abstract":"The focus of this report is to assess the available evidence of the impact on the Australian and global economies of the Australian Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (better known as “TOLA”). TOLA created a framework by which law enforcement and intelligence agencies, or LEIAs, could request or require information technology providers, or in the terminology of TOLA – Designated Communications Providers (DCPs) – to provide assistance in accessing the content of encrypted data, which may involve sharing of confidential company information or the development of new capabilities. <br><br>Our analysis leads us to conclude that TOLA has the potential to result in significant economic harm for the Australian economy and produce negative spillovers that will amplify that harm globally. By significant, we mean economic harms measurable in the multiple billions of dollars that are broad-based and likely to be (primarily) realised in coming years. <br><br>Section 3 provides a brief overview of TOLA’s history and legal impact. After an abbreviated and fast process, TOLA was passed in December 2018. Subsequently, TOLA has been subject to multiple reviews, each of which has recommended modifications to the legislation and its application. Section 4 explains the critical role that encryption plays in securing digital data and highlights some of the technical implications of introducing expanded capabilities to circumvent encryption. Section 5 addresses the potential economic impacts of TOLA. The conclusion that emerges from this analysis is that TOLA risks incurring significant future economic costs that are unlikely to be offset by future compensating economic benefits. This conclusion is warranted even though a precise quantification of the net economic impact is not feasible based on the data and research available to date, in part due to the opacity that TOLA creates. <br><br>There are numerous mechanisms identified by which TOLA may impose economic harms. For example, TOLA increases business uncertainty. Second, TOLA can harm the brand image of DCPs with operations in Australia that are vulnerable to the threat TOLA poses for the digital security of their products and services.Internet users, concerned that their data may be rendered less secure due to TOLA may opt to take their business elsewhere. Such responses can reduce DCP revenues and increase DCP operating costs as DCPs adopt work-around strategies to offset the TOLA-related threats. These direct effects need not be limited to DCPs that receive TOLA notices: they may be incurred by DCPs in anticipation of receiving a TOLA notice or by other entities concerned about the impact of TOLA. Those entities need not be limited to DCPs but may include their customers. In aggregate, these direct and indirect effects are likely to be broad-based and accumulate over time as effects ripple through the economy. Third, perhaps the single biggest source of adverse economic effects is the indirect threat that TOLA poses for trust in digital services, including the Internet. We are in the midst of a global transition to a digital economy in which eCommerce and networked digital information play an ever-larger role, impacting all countries, all sectors, and all businesses. If the services and networks that support this activity are trusted (e.g., the DCPs), then the economic growth prospects are bright. Reduced trust in data security is expected to depress aggregate demand across the digital economy and induce firms to incur higher costs in attempts to offset the harms resulting from the reduction in trust. Moreover, since digital technology is used throughout the entirety of the economy, these effects are economy-wide and impact all aspects of how modern businesses operate. Consequently, even small threats to cybersecurity, or equivalently, digital trust, have the potential to have large adverse costs. One study shows how threats to digital trust may translate into global harms on the order of a trillion dollars or more. <br><br>Section 6 presents the results of the primary research undertaken as part of this project. This included detailed interviews with leading multinational DCPs and an anonymous survey of DCPs with operations in Australia to assess their experiences and expectations regarding TOLA since its passage in 2018. The survey was similar to two earlier efforts – the first conducted on the eve TOLA’s passage, and the second, one year later. While the results of this research are insufficient to provide a reliable empirical basis to quantify the expected impact of TOLA, the results were consistent with and support the conclusion reached in Chapter 5. <br><br>Taken together, this analysis leads us to conclude that TOLA poses a significant risk of future net economic harms for Australia's economy, with likely adverse spillovers abroad. The preliminary evidence demonstrates that some firms have already experienced significant economic harms; although it appears likely that most of the aggregate impact of harms is likely to occur in the future and be widespread, if TOLA’s threat to encryption continues. Furthermore, the confusion and uncertainty for DCPs caused by TOLA persist and have yet to be adequately addressed. <br><br>While the challenges of estimating the economic impact are difficult, there has not been any significant public research that attempts to quantify the economic impact of TOLA or similar legislation in Australia or elsewhere. However, the lack of such empirical evidence does not imply that there is no significant impact. Rather, this suggests that the burden of proof should be shifted to evaluating the case for why TOLA is expected to yield significant benefits since the risk of broad and significant economic harms posed by TOLA is clear.<br><br>We were surprised to find that there have been no prior, substantial efforts to empirically estimate the economic costs or benefits of TOLA, or of analogous legislation (with economic implications for digital security) in Australia or elsewhere. Although our focus here is on the potential costs of TOLA, consideration of the potential benefits suggests that they would be even more difficult to estimate. It is unclear whether TOLA has improved or will improve LEIA access to digital data and enhance their operational effectiveness. Furthermore, it is generally accepted that one of the most important ways to promote cybersecurity is to promote wider adoption of end-to-end encryption. TOLA poses a challenge to wider adoption of effective end-to-end encryption, since by design, TOLA is about enabling a capability to access the content of encrypted data.<br><br>Lacking third-party research on which to ground an estimate of the economic impact of TOLA, we conducted primary research in the form of in-depth video-conference interviews with leading multinational DCPs and via an anonymous survey of DCPs, all of which have operations in Australia. As we explain more fully in the report, the empirical data collected is wholly consistent and supports the analysis in the rest of our report. The research of DCP experiences and expectations with TOLA provides empirical support for concluding that:<br>1. The expectation is that TOLA will have adverse impacts on businesses and their customers that is broad-based (i.e., not just limited to firms in the ICT sectors);<br>2. Most of the expected harms will be indirect and associated with the threat that TOLA poses for customer and industry partner perceptions of digital trust;<br>3. Significant uncertainty about TOLA and its effects continues;<br>4. Direct empirical evidence of economic costs (or benefits) is quite limited, but we attribute that to (a) opacity with which TOLA activities are shrouded due to the non-disclosure provisions; (b) limited time since TOLA’s passage and continuing controversy suppressing LEIA use of TOLA authority; and (c) expectation that impacts are most likely to be indirect and in the future;<br>5. The limited direct evidence we did observe supports the conclusion that company-specific benefits are likely small, while company-specific costs may be quite large; and,<br>6. The available empirical data does not provide a reliable basis for quantifying the aggregate dollar economic impact of TOLA.<br><br>The evidence was also consistent with our expectation that empirical evidence of direct TOLA effects would be sparse and difficult to observe. This lack of empirical evidence, however, is not evidence of a lack of an effect. Nevertheless, the limited evidence collected is telling. One respondent that had experienced a direct adverse economic impact estimated the effect as being on the order of one billion (Australian) dollars, while the sole respondent that viewed the impact of TOLA mostly favourably saw its principal effect as rationalising existing legislation. Both observations are consistent with the conclusion that company-specific benefits are likely to be small, while company-specific costs may be quite large. Although the empirical research supports the overall conclusion of the report, the size of the sample precludes using this as the basis for a more precise quantification of those harms. <br>","PeriodicalId":10506,"journal":{"name":"Columbia Law School","volume":"85 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2021-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Columbia Law School","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2139/ssrn.3866902","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

The focus of this report is to assess the available evidence of the impact on the Australian and global economies of the Australian Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (better known as “TOLA”). TOLA created a framework by which law enforcement and intelligence agencies, or LEIAs, could request or require information technology providers, or in the terminology of TOLA – Designated Communications Providers (DCPs) – to provide assistance in accessing the content of encrypted data, which may involve sharing of confidential company information or the development of new capabilities.

Our analysis leads us to conclude that TOLA has the potential to result in significant economic harm for the Australian economy and produce negative spillovers that will amplify that harm globally. By significant, we mean economic harms measurable in the multiple billions of dollars that are broad-based and likely to be (primarily) realised in coming years.

Section 3 provides a brief overview of TOLA’s history and legal impact. After an abbreviated and fast process, TOLA was passed in December 2018. Subsequently, TOLA has been subject to multiple reviews, each of which has recommended modifications to the legislation and its application. Section 4 explains the critical role that encryption plays in securing digital data and highlights some of the technical implications of introducing expanded capabilities to circumvent encryption. Section 5 addresses the potential economic impacts of TOLA. The conclusion that emerges from this analysis is that TOLA risks incurring significant future economic costs that are unlikely to be offset by future compensating economic benefits. This conclusion is warranted even though a precise quantification of the net economic impact is not feasible based on the data and research available to date, in part due to the opacity that TOLA creates.

There are numerous mechanisms identified by which TOLA may impose economic harms. For example, TOLA increases business uncertainty. Second, TOLA can harm the brand image of DCPs with operations in Australia that are vulnerable to the threat TOLA poses for the digital security of their products and services.Internet users, concerned that their data may be rendered less secure due to TOLA may opt to take their business elsewhere. Such responses can reduce DCP revenues and increase DCP operating costs as DCPs adopt work-around strategies to offset the TOLA-related threats. These direct effects need not be limited to DCPs that receive TOLA notices: they may be incurred by DCPs in anticipation of receiving a TOLA notice or by other entities concerned about the impact of TOLA. Those entities need not be limited to DCPs but may include their customers. In aggregate, these direct and indirect effects are likely to be broad-based and accumulate over time as effects ripple through the economy. Third, perhaps the single biggest source of adverse economic effects is the indirect threat that TOLA poses for trust in digital services, including the Internet. We are in the midst of a global transition to a digital economy in which eCommerce and networked digital information play an ever-larger role, impacting all countries, all sectors, and all businesses. If the services and networks that support this activity are trusted (e.g., the DCPs), then the economic growth prospects are bright. Reduced trust in data security is expected to depress aggregate demand across the digital economy and induce firms to incur higher costs in attempts to offset the harms resulting from the reduction in trust. Moreover, since digital technology is used throughout the entirety of the economy, these effects are economy-wide and impact all aspects of how modern businesses operate. Consequently, even small threats to cybersecurity, or equivalently, digital trust, have the potential to have large adverse costs. One study shows how threats to digital trust may translate into global harms on the order of a trillion dollars or more.

Section 6 presents the results of the primary research undertaken as part of this project. This included detailed interviews with leading multinational DCPs and an anonymous survey of DCPs with operations in Australia to assess their experiences and expectations regarding TOLA since its passage in 2018. The survey was similar to two earlier efforts – the first conducted on the eve TOLA’s passage, and the second, one year later. While the results of this research are insufficient to provide a reliable empirical basis to quantify the expected impact of TOLA, the results were consistent with and support the conclusion reached in Chapter 5.

Taken together, this analysis leads us to conclude that TOLA poses a significant risk of future net economic harms for Australia's economy, with likely adverse spillovers abroad. The preliminary evidence demonstrates that some firms have already experienced significant economic harms; although it appears likely that most of the aggregate impact of harms is likely to occur in the future and be widespread, if TOLA’s threat to encryption continues. Furthermore, the confusion and uncertainty for DCPs caused by TOLA persist and have yet to be adequately addressed.

While the challenges of estimating the economic impact are difficult, there has not been any significant public research that attempts to quantify the economic impact of TOLA or similar legislation in Australia or elsewhere. However, the lack of such empirical evidence does not imply that there is no significant impact. Rather, this suggests that the burden of proof should be shifted to evaluating the case for why TOLA is expected to yield significant benefits since the risk of broad and significant economic harms posed by TOLA is clear.

We were surprised to find that there have been no prior, substantial efforts to empirically estimate the economic costs or benefits of TOLA, or of analogous legislation (with economic implications for digital security) in Australia or elsewhere. Although our focus here is on the potential costs of TOLA, consideration of the potential benefits suggests that they would be even more difficult to estimate. It is unclear whether TOLA has improved or will improve LEIA access to digital data and enhance their operational effectiveness. Furthermore, it is generally accepted that one of the most important ways to promote cybersecurity is to promote wider adoption of end-to-end encryption. TOLA poses a challenge to wider adoption of effective end-to-end encryption, since by design, TOLA is about enabling a capability to access the content of encrypted data.

Lacking third-party research on which to ground an estimate of the economic impact of TOLA, we conducted primary research in the form of in-depth video-conference interviews with leading multinational DCPs and via an anonymous survey of DCPs, all of which have operations in Australia. As we explain more fully in the report, the empirical data collected is wholly consistent and supports the analysis in the rest of our report. The research of DCP experiences and expectations with TOLA provides empirical support for concluding that:
1. The expectation is that TOLA will have adverse impacts on businesses and their customers that is broad-based (i.e., not just limited to firms in the ICT sectors);
2. Most of the expected harms will be indirect and associated with the threat that TOLA poses for customer and industry partner perceptions of digital trust;
3. Significant uncertainty about TOLA and its effects continues;
4. Direct empirical evidence of economic costs (or benefits) is quite limited, but we attribute that to (a) opacity with which TOLA activities are shrouded due to the non-disclosure provisions; (b) limited time since TOLA’s passage and continuing controversy suppressing LEIA use of TOLA authority; and (c) expectation that impacts are most likely to be indirect and in the future;
5. The limited direct evidence we did observe supports the conclusion that company-specific benefits are likely small, while company-specific costs may be quite large; and,
6. The available empirical data does not provide a reliable basis for quantifying the aggregate dollar economic impact of TOLA.

The evidence was also consistent with our expectation that empirical evidence of direct TOLA effects would be sparse and difficult to observe. This lack of empirical evidence, however, is not evidence of a lack of an effect. Nevertheless, the limited evidence collected is telling. One respondent that had experienced a direct adverse economic impact estimated the effect as being on the order of one billion (Australian) dollars, while the sole respondent that viewed the impact of TOLA mostly favourably saw its principal effect as rationalising existing legislation. Both observations are consistent with the conclusion that company-specific benefits are likely to be small, while company-specific costs may be quite large. Although the empirical research supports the overall conclusion of the report, the size of the sample precludes using this as the basis for a more precise quantification of those harms.
削弱加密的法律对经济的影响
本报告的重点是评估《2018年澳大利亚电信和其他立法修正案(援助和访问)法》(简称“TOLA”)对澳大利亚和全球经济影响的现有证据。TOLA创建了一个框架,通过该框架,执法和情报机构(leia)可以请求或要求信息技术提供商,或用TOLA的术语-指定通信提供商(dcp) -在访问加密数据内容方面提供帮助,这可能涉及共享机密公司信息或开发新功能。我们的分析使我们得出结论,TOLA有可能对澳大利亚经济造成重大经济损害,并产生负面溢出效应,将这种损害扩大到全球。所谓重大,我们指的是可衡量的数十亿美元的经济损害,这些损害具有广泛的基础,可能(主要)在未来几年内实现。第3节简要概述了TOLA的历史和法律影响。经过简短而快速的过程,TOLA于2018年12月获得通过。其后,当局进行了多次检讨,每一次检讨都建议修订法例及其适用。第4节解释了加密在保护数字数据方面所起的关键作用,并强调了引入扩展功能以规避加密的一些技术含义。第5部分阐述了“废物处置区”的潜在经济影响。从这一分析中得出的结论是,TOLA可能会产生巨大的未来经济成本,而这些成本不太可能被未来的补偿性经济效益所抵消。这一结论是有根据的,尽管基于迄今为止的数据和研究,对净经济影响的精确量化是不可行的,部分原因是TOLA造成的不透明。TOLA可能造成经济损害的机制有很多。例如,TOLA增加了业务的不确定性。其次,TOLA可能会损害在澳大利亚运营的dcp的品牌形象,这些dcp很容易受到TOLA对其产品和服务的数字安全构成的威胁。互联网用户担心他们的数据可能会因互联网信息服务托管而变得不那么安全,他们可能会选择在其他地方开展业务。由于DCP采用变通策略来抵消与tola相关的威胁,这些应对措施可能会减少DCP的收入,并增加DCP的运营成本。这些直接影响不一定仅限于收到TOLA通知的dcp:它们可能由预期收到TOLA通知的dcp或关注TOLA影响的其他实体产生。这些实体不必仅限于dcp,也可以包括其客户。总的来说,这些直接和间接的影响可能是广泛的,随着时间的推移,随着影响波及整个经济,这些影响可能会累积起来。第三,也许不利经济影响的最大单一来源是TOLA对包括互联网在内的数字服务的信任构成的间接威胁。我们正处于全球向数字经济过渡的过程中,电子商务和网络化数字信息发挥着越来越大的作用,影响着所有国家、所有部门和所有企业。如果支持这一活动的服务和网络是可信的(例如,dcp),那么经济增长前景是光明的。对数据安全的信任度下降预计将抑制整个数字经济的总需求,并诱使企业承担更高的成本,以抵消信任度下降带来的危害。此外,由于数字技术在整个经济中都被使用,这些影响是全经济的,影响到现代企业运作的各个方面。因此,即使是对网络安全或数字信任的小威胁,也有可能产生巨大的不利成本。一项研究表明,对数字信任的威胁可能会转化为一万亿美元或更多的全球损失。第6节介绍了作为该项目的一部分所进行的初步研究的结果。这包括对领先的跨国dcp进行详细访谈,并对在澳大利亚开展业务的dcp进行匿名调查,以评估他们自2018年通过TOLA以来对该法案的经验和期望。这项调查与之前的两次类似——第一次是在TOLA通过前夕进行的,第二次是在一年后进行的。虽然本研究的结果不足以为量化TOLA的预期影响提供可靠的实证依据,但结果与第5章的结论一致并支持。综上所述,这一分析使我们得出结论,TOLA对澳大利亚经济未来的净经济损害构成了重大风险,并可能对海外产生不利的溢出效应。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信