The Economic Impact of Laws that Weaken Encryption

Abstract

The focus of this report is to assess the available evidence of the impact on the Australian and global economies of the Australian Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (better known as “TOLA”). TOLA created a framework by which law enforcement and intelligence agencies, or LEIAs, could request or require information technology providers, or in the terminology of TOLA – Designated Communications Providers (DCPs) – to provide assistance in accessing the content of encrypted data, which may involve sharing of confidential company information or the development of new capabilities.

Our analysis leads us to conclude that TOLA has the potential to result in significant economic harm for the Australian economy and produce negative spillovers that will amplify that harm globally. By significant, we mean economic harms measurable in the multiple billions of dollars that are broad-based and likely to be (primarily) realised in coming years.

Section 3 provides a brief overview of TOLA’s history and legal impact. After an abbreviated and fast process, TOLA was passed in December 2018. Subsequently, TOLA has been subject to multiple reviews, each of which has recommended modifications to the legislation and its application. Section 4 explains the critical role that encryption plays in securing digital data and highlights some of the technical implications of introducing expanded capabilities to circumvent encryption. Section 5 addresses the potential economic impacts of TOLA. The conclusion that emerges from this analysis is that TOLA risks incurring significant future economic costs that are unlikely to be offset by future compensating economic benefits. This conclusion is warranted even though a precise quantification of the net economic impact is not feasible based on the data and research available to date, in part due to the opacity that TOLA creates.

There are numerous mechanisms identified by which TOLA may impose economic harms. For example, TOLA increases business uncertainty. Second, TOLA can harm the brand image of DCPs with operations in Australia that are vulnerable to the threat TOLA poses for the digital security of their products and services.Internet users, concerned that their data may be rendered less secure due to TOLA may opt to take their business elsewhere. Such responses can reduce DCP revenues and increase DCP operating costs as DCPs adopt work-around strategies to offset the TOLA-related threats. These direct effects need not be limited to DCPs that receive TOLA notices: they may be incurred by DCPs in anticipation of receiving a TOLA notice or by other entities concerned about the impact of TOLA. Those entities need not be limited to DCPs but may include their customers. In aggregate, these direct and indirect effects are likely to be broad-based and accumulate over time as effects ripple through the economy. Third, perhaps the single biggest source of adverse economic effects is the indirect threat that TOLA poses for trust in digital services, including the Internet. We are in the midst of a global transition to a digital economy in which eCommerce and networked digital information play an ever-larger role, impacting all countries, all sectors, and all businesses. If the services and networks that support this activity are trusted (e.g., the DCPs), then the economic growth prospects are bright. Reduced trust in data security is expected to depress aggregate demand across the digital economy and induce firms to incur higher costs in attempts to offset the harms resulting from the reduction in trust. Moreover, since digital technology is used throughout the entirety of the economy, these effects are economy-wide and impact all aspects of how modern businesses operate. Consequently, even small threats to cybersecurity, or equivalently, digital trust, have the potential to have large adverse costs. One study shows how threats to digital trust may translate into global harms on the order of a trillion dollars or more.

Section 6 presents the results of the primary research undertaken as part of this project. This included detailed interviews with leading multinational DCPs and an anonymous survey of DCPs with operations in Australia to assess their experiences and expectations regarding TOLA since its passage in 2018. The survey was similar to two earlier efforts – the first conducted on the eve TOLA’s passage, and the second, one year later. While the results of this research are insufficient to provide a reliable empirical basis to quantify the expected impact of TOLA, the results were consistent with and support the conclusion reached in Chapter 5.

Taken together, this analysis leads us to conclude that TOLA poses a significant risk of future net economic harms for Australia's economy, with likely adverse spillovers abroad. The preliminary evidence demonstrates that some firms have already experienced significant economic harms; although it appears likely that most of the aggregate impact of harms is likely to occur in the future and be widespread, if TOLA’s threat to encryption continues. Furthermore, the confusion and uncertainty for DCPs caused by TOLA persist and have yet to be adequately addressed.

While the challenges of estimating the economic impact are difficult, there has not been any significant public research that attempts to quantify the economic impact of TOLA or similar legislation in Australia or elsewhere. However, the lack of such empirical evidence does not imply that there is no significant impact. Rather, this suggests that the burden of proof should be shifted to evaluating the case for why TOLA is expected to yield significant benefits since the risk of broad and significant economic harms posed by TOLA is clear.

We were surprised to find that there have been no prior, substantial efforts to empirically estimate the economic costs or benefits of TOLA, or of analogous legislation (with economic implications for digital security) in Australia or elsewhere. Although our focus here is on the potential costs of TOLA, consideration of the potential benefits suggests that they would be even more difficult to estimate. It is unclear whether TOLA has improved or will improve LEIA access to digital data and enhance their operational effectiveness. Furthermore, it is generally accepted that one of the most important ways to promote cybersecurity is to promote wider adoption of end-to-end encryption. TOLA poses a challenge to wider adoption of effective end-to-end encryption, since by design, TOLA is about enabling a capability to access the content of encrypted data.

Lacking third-party research on which to ground an estimate of the economic impact of TOLA, we conducted primary research in the form of in-depth video-conference interviews with leading multinational DCPs and via an anonymous survey of DCPs, all of which have operations in Australia. As we explain more fully in the report, the empirical data collected is wholly consistent and supports the analysis in the rest of our report. The research of DCP experiences and expectations with TOLA provides empirical support for concluding that:
1. The expectation is that TOLA will have adverse impacts on businesses and their customers that is broad-based (i.e., not just limited to firms in the ICT sectors);
2. Most of the expected harms will be indirect and associated with the threat that TOLA poses for customer and industry partner perceptions of digital trust;
3. Significant uncertainty about TOLA and its effects continues;
4. Direct empirical evidence of economic costs (or benefits) is quite limited, but we attribute that to (a) opacity with which TOLA activities are shrouded due to the non-disclosure provisions; (b) limited time since TOLA’s passage and continuing controversy suppressing LEIA use of TOLA authority; and (c) expectation that impacts are most likely to be indirect and in the future;
5. The limited direct evidence we did observe supports the conclusion that company-specific benefits are likely small, while company-specific costs may be quite large; and,
6. The available empirical data does not provide a reliable basis for quantifying the aggregate dollar economic impact of TOLA.

The evidence was also consistent with our expectation that empirical evidence of direct TOLA effects would be sparse and difficult to observe. This lack of empirical evidence, however, is not evidence of a lack of an effect. Nevertheless, the limited evidence collected is telling. One respondent that had experienced a direct adverse economic impact estimated the effect as being on the order of one billion (Australian) dollars, while the sole respondent that viewed the impact of TOLA mostly favourably saw its principal effect as rationalising existing legislation. Both observations are consistent with the conclusion that company-specific benefits are likely to be small, while company-specific costs may be quite large. Although the empirical research supports the overall conclusion of the report, the size of the sample precludes using this as the basis for a more precise quantification of those harms.