Balancing End-to-End Encryption and Public Safety

Over the last decade, there has been a significant debate around end-to-end encryption (E2EE) and its implications for public safety. At the forefront of the discourse is a false dichotomy between protecting privacy and ensuring national security. At the extreme ends of this deeply polarised debate are two key arguments. On the privacy side, it is believed that governments and law enforcement agencies desire unrestrained exceptional access to E2EE communications to spy on their citizens. On the security side, it is maintained that obtaining lawful exceptional access is the only way to protect citizens and uphold national security. The debate has reached a deadlock, with both sides perpetuating zero-sum views.However, experts are calling for a more nuanced conversation about possible solutions to the criminal use of E2EE services. It is vital that a range of views are considered in order to identify the key issues and inform a more productive debate. Through a review of the existing literature and insights from 22 semi-structured interviews, this paper balances the perspectives from a range of relevant stakeholders on the main elements of the E2EE debate and presents some key takeaways in an effort to move away from a crude privacy-versus-security binary.The paper presents the following key findings:There are clear and significant cyber security and privacy benefits to E2EE. Efforts to weaken or restrict its access would be a net loss for all.Criminal use of E2EE is a significant risk to public safety and solutions are vital. Yet, it should also be acknowledged that technology is an enabler of criminal and harmful activity and should not be treated as the root cause.The possibility of developing technical tools which could assist law enforcement investigations should not be categorically ruled out, but future proposals must be measured against the principles of proportionality, legality and technical robustness.Alternative options for law enforcement investigations such as metadata analysis and legal hacking should be considered, but they are not without their drawbacks. Legal hacking could be proportionate but its reliance on software vulnerabilities is largely at odds with strong cyber security. Metadata analysis is promising but more research is needed to determine the extent to which it can be used to aid law enforcement investigations.Industry do have a responsibility to make their platforms safer and free from criminal abuse. This requires implementation of safety-by-design principles and the provision of resources for better digital literacy and education. Governments must have oversight over the technical tools developed.A more nuanced debate must continue which actively moves away from zero-sum views of absolute privacy versus absolute security, and focuses more on how the risks to public safety can be reduced in proportion with the need to protect citizens' rights and freedoms

OMDDAC Snapshot Report 1: Data-driven Public Policy

‘Data-driven’ decision-making has been at the heart of the response to Covid-19 in the UK. Data-driven approaches include: sharing, linkage and analysis of different datasets from various sources; predictive modelling to anticipate and understand transmission and inform policy; and data-driven profiling to identify and support vulnerable individuals. This Snapshot Report incorporates OMDDAC’s findings from interviews with stakeholders, together with published research, to capture the lessons learned throughout the pandemic across these three case studies

OMDDAC Snapshot Report 3: Policing and Public Safety

Policing during a pandemic brings novel data-driven challenges. Solving them requires significant coordination and clear communication both within forces and across public sector agencies. This report presents three case studies demonstrating the range of opportunities and difficulties facing the police in this period: police access to NHS Test and Trace data; monitoring of crime and enforcement trends; and monitoring of police resourcing and wellbeing

Data-Driven Responses to COVID-19: Lessons Learned: OMDDAC Research Compendium

Funded by the Arts and Humanities Research Council under the UKRI COVID-19 Rapid Response call, the Observatory for Monitoring Data-Driven Approaches to COVID-19 (OMDDAC) is a collaboration between Northumbria University and the Royal United Services Institute (RUSI). This project has involved a multidisciplinary team of researchers (with expertise in the law on technology, data protection, and medicine as well as practical ethics, computer science, data science, applied statistics in health, technology and security studies and behavioural science) to investigate the legal, ethical, policy and operationalchallenges encountered in relation to key data-driven responses to the pandemic.The COVID-19 pandemic has accelerated the consideration of several priorities in the data and technology space, which are reflected in the UK Government’s present strategies. The National Data Strategy, in particular, pledges to take account of the lessons learned from the COVID-19 response and draw uponthe UK’s values of transparency, accountability and inclusion. Seeking to inform the lessons learned from the pandemic, the project used a mixed-methods research design that included case study analysis, interviews with key stakeholders (individuals with relevant expertise and/or experience in relation to the data-driven pandemic response), representative public surveys, and engagement with young people through a children’s rights charity. OMDDAC has published four snapshot reports focused on data-driven public policy, tech-driven approaches to public health, policing and public safety and key findings from the public perceptions survey. The emerging issues identified in those reports align closely with the four pillars of the National Data Strategy, which form the framework for this final project report:1. Data Foundations (data quality issues and infrastructure);2. Data Skills (data literacy of decision-makers);3. Data Availability (data sharing); and4. Responsibility (law, ethics, transparency, and public trust)

OMDDAC Snapshot Report 2: Tech-driven approaches to Public Health

This Snapshot Report incorporates OMDDAC’s findings from interviews with key stakeholders, together with published research, to capture the experiences and lessons learned throughout the pandemic in relation to technology-driven approaches to public health. This Report examines three case studies: digital proximity and exposure notification; risk scoring algorithms; and Covid-status certification

OMDDAC Practitioner Guidelines

These practitioner guidelines are presented by the AHRC funded ‘Observatory for Monitoring Data-Driven Approaches to COVID-19’ (OMDDAC) project. OMDDAC is a collaboration between Northumbria University and the Royal United Services Institute (RUSI), researching the data-driven approaches to COVID-19, with a focus upon legal, ethical, policy and operational challenges. OMDDAC has analysed key data-driven responses to COVID-19, collating lessons learned in ‘real time’ throughout the pandemic by way of representative public surveys, case study analysis and interviews with key stakeholders from a range of sectors (including local and central government, regulators, law enforcement, the medical and legal profession, charities and the third sector, the private sector, and an interdisciplinary range of academics). These practitioner guidelines have been informed by our research findings. The guidelines are relevant specifically to practitioners who work with data in the health and social care sector and in the law enforcement sector

An Evidence Quality Assessment Model for Cyber Security Policymaking

Part 1: Themes and IssuesInternational audienceA key factor underpinning a state’s capacity to respond to cyber security policy challenges is the quality of evidence that supports decision making. As part of this process, policy advisers, essentially a diverse group that includes everyone from civil servants to elected policy makers, are required to assess evidence from a mix of sources. In time-critical scenarios where relevant expertise is limited or not available, assessing threats, risk and proportionate response based on official briefings, academic sources and industry threat reports can be very challenging. This chapter presents a model for assessing the quality of evidence used in policymaking. The utility of the model is illustrated using a sample of evidence sources and it is demonstrated how different attributes may be used for comparing evidence quality. The ultimate goal is to help resolve potential conflicts and weigh findings and opinions in a systematic manner

Cybersecurity: Policy

Cybersecurity policy refers to a course of action adopted by a state, an organization, or a set of actors with the aim of ensuring cybersecurity and/or digital competitiveness as well as defining the individual and collective responsibilities in pursuit of that goal