Encryption as a Security Technology. Notes on the German Debate on encryption, Uncertainty and Risk

. this article contributes to the emerging literature on digital encryption as a political issue by focusing on the way in which debates about encryption are embedded in a broader security discourse. drawing on empirical material from Germany, this article shows how debates on encryption bring its ambiguous nature to the fore. encryption is seen as both a threat and a source of protection, it thus becomes clear that technology only acquires its political meaning in discourse. Furthermore, i show that security is discussed in terms of uncertainty, risks and complexity. the article concludes by arguing that this prevailing idea of security as risk leads to security measures that attempt to deal with complexity by involving a variety of actors, making multi-stakeholder approaches as a solution more plausible.


Introduction: Encryption as Political Technology
encryption technology is considered to be a core technology, not only for privacy and prevention of surveillance but also for security in general.encryption can prevent access by third parties to communications and is thus crucial for e-commerce (Hosein 2017;Diie, Landau 1998).Today, encryption is implemented in any networked technology.even more so, encryption is a highly political technology.It ensures private communication by preventing unwelcome third-party access, increasing the degree of anonymity and thus allowing secure communication for everybody.But this means that it also allows secure communication for criminals, potentially preventing law-enforcement from accessing digital communication. he debate about encryption is deeply embedded in debates about privacy and the freedom of speech, in short: democracy.ater the revelations by edward snowden, the question about the value of encryption attracted new attention (Meinrath, Vitka 2014;schulze 2017) ater a previous decline in public attention.I focus on this part of the debate that has emerged since 2013.
scholarship on these most recent debates is only beginning to emerge and comes from a variety of disciplines.Interest in the topic is not limited to computer scien-tists, as the political character of the debates is seen by commentators from all kinds of ields (schneier 2013;DuPont 2015;Froomkin 1995;Gürses, Kundnani, Hoboken 2016).I expand on this research by taking an explicit interest in encryption as a security issue.his paper uses insights from the ield of Critical security studies (Css) to understand how encryption is located within a broader security discourse.Much research has focused on the Us, but this article concentrates speciically on Germany given that it provides a contrast to the United states for several reasons.Firstly, Germany is a country traditionally very concerned with privacy (at least as its self-perception) and the assumption is thus that encryption is debated in more positive terms than in the Us.secondly, Germany is one of the main producers of encryption sotware.strong encryption regulation in the Us would be an asset for the German economy and its development of encryption.his is important, since claims for higher regulation are made, even though regulation would only be truly efective if successfully implemented in all countries.Political efort to regulate the export of encryption or implementing weaker encryption is thus less discussed than debates occurring in the Us during the 1990s (Diie, Landau 1998;schulze 2017;steiger, schünemann, Dimmroth 2017).
he article proceeds as follows: in the next section I discuss how Css has tried to conceptualize the security practices that emerge in relation to new networked technology.I then continue with some brief remarks on my methodology and methods.In the main section, I present my results from the discourse analysis.Two issues are core here: irstly, encryption is embedded in security discourse in an ambivalent way.It is considered to be both a threat and a means of protection.secondly, encryption security is characterized by decentralization, uncertainty and unpredictability.herefore encryption security can thus be said to follow a logic of risk having distinct implications for security policies.he conclusion summarizes the results and highlights the implication for our understanding of governing encryption as a security issue.

Security Technology
security studies, a sub-ield of International Relations, is traditionally concerned with understanding security politics between states (Waltz 2010).his research focuses on issues such as war and foreign policy.However, the vibrant ield of Critical security studies that emerged in the 1970s broadened its research agenda by including other security phenomena such as migration or health security (Buzan and Hansen 2009).For our discussion on encryption, two conceptual insights are important.
Firstly, researchers have shown that security practices enter everyday life and can be found in multiple places (Lyon 2003;Bigo 2012;Gaufman 2017).security practices are no longer limited to high politics, but impact everyday activities and are both difuse and decentered (Huysmans 2014;2011).analyzing security politics thus not only means inquiring about war and foreign policy but also how it impacts the everyday life of citizens (stevens and Vaughan-Williams 2017).especially feminist scholars have shown how security politics is enacted in everyday practice and impacts the most vulnerable people.War is thus not only something that happens between states in an abstract way, but in order to understand war one needs to look at the ground level and scrutinize the everyday life of women and children, too (nordstrom 1997;Wibben 2016).
In line with the focus on difuse security practices, researchers have identiied how (in)security is conceptualized in terms of uncertainty.When looking at security in practice, one cannot conceptually constrain security to high-politics and phenomena such as war.new security phenomena have thus oten been described by a logic of risk. he emergence of uncertainty rather than the presence of a logic of deterrence is oten linked with the end of the Cold War.new security phenomena such as terrorism or environmental security have emerged, and in this context it is diicult to predict the next attack or hazard (aradau, Van Munster 2007;elbe 2008;salter 2008).although high-impact events might be rare and diicult to predict, security politics focuses on precautionary measures and mitigating risks (Beck 1986).his difusion of security practices has been described using terminology that focuses on (incalculable) risks, uncertainty and precaution (Kessler and Daase 2008).
In a somewhat simplistic way one could thus say that security practices follow either a logic of risk or a logic of high politics (cf.Balzacq 2015).his should serve more as a heuristic rather than a precise description, since previous research has shown that both logics are oten entangled.However, this idea of security politics as being difuse and characterized by ever-present risks serves as a foil in section 4.1 in order to tease out the underlying assumption of the encryption security discourse.I demonstrate how themes known from previous risk-research play out when describing encryption as a security issue.
secondly, the pervasiveness of surveillance practices and new technologies for warfare show how networked technology alters security practices.Research over the past decade has scrutinized how security technology helps not only with the difusion of security practices, security technology is also oten highly contested and security debates revolve around speciic technical questions, such as the design of body scanners or the origin of missiles (schouten 2014; Walters 2014).as a result Css is paying increasing attention to security technology.his meant a broadening of the research agenda in terms of its theoretical resources by engaging with the theories of science and technology studies (sTs), most prominently here the actor-network-theory (anT) as developed by Bruno Latour, annemarie Mol, John Law and Michel Callon (Latour 1999;Callon 1984;Mol 2010).It also means expanding the object of research, focusing on technologies and security devices like drones or biometrics (Leander 2013;Jacobsen 2015).
encryption technology has so far not been granted much attention within Css (but see: Dunn Cavelty 2007).However it is a crucial technology for internet security Pobrane z czasopisma Mediatizations Studies http://mediatization.umcs.plData: 15/09/2023 04:36:43 U M C S as a whole.even more so encryption plays a crucial role in debates about surveillance and privacy, which are both essential topics for Css (amoore 2014;Bauman et al. 2014).Researching encryption as a security technology will thus also contribute to how security is linked to debates on privacy via surveillance.as I demonstrate below, encryption is irmly embedded in the broader discourse on security, surveillance and privacy.Regulating security practices thus also means making decisions concerning the control of security technologies such as encryption.More speciic questions, like key-length, are open for contestation (Monsees 2017).Understanding security politics thus also means understanding its underlying security technology.However, when looking at encryption technology we can also see that values such as privacy and freedom are debated as well.hus we need to pay attention to both the technology itself and the values attached to it (cf.Barry 2012).
Understanding how certain ideas and values are negotiated requires a distinct approach that not only examines the material features of the technology but also the wider context in which the technology is embedded and the political debates that revolve around it.Consequently, I analyze the debates about encryption and security and in the next section I explicate this choice and the selection of material in more detail.

Methodology
his section presents the methodology and methods underlying this research.he aim of this article is to understand the way in which encryption is presented as a security issue.his requires less of an analysis of the technological features and more an understanding of how actors on the level of practice present encryption, and how it becomes a security issue.a discourse analytical perspective provides the best tools to achieve this aim.In line with interpretative research, I am not interested in trying to access the 'real intention', as the mental state of some person (Yanow, schwartzshea 2006), but rather the intersubjective meanings.such a perspective is in line with discourse studies that exist in many varieties (Fairclough 2013;Wodak 1989;Foucault 1972). he general assumption behind discourse research is that studying discourse reveals structures of meaning that are intersubjectively shared.studying texts reveals which knowledge resources are shared and, independently of personal beliefs, I can reconstruct the intersubjective meaning of texts (Keller 2007).
hrough the analysis of discourse, oten with a focus on speciic linguistic features such as metaphors or narrative structures, it becomes possible to understand these structures of meaning.again, the aim is not to ascribe speciic intentions or motives to an author of a text.a discourse analysis is interested in understanding the shared knowledge that is present in a speciic community.analyzing this shared knowledge can, for example, make plausible why speciic kinds of action seemed legitimate, or why other actions became less likely or completely unthinkable (Hajer 1995) he results presented here in this article are part of a larger project which analyzed the Us and German encryption discourse between 2012 and 2016 (cf.Monsees 2017).In this paper I solely focus on Germany.since my main interest is to show how encryption was presented as a security issue in popular discourse (rather than, for instance, among cryptologists), I focused on texts published in mass media, but also included statements by politicians and experts speaking in a public setting such as in a press release for an nGO or testifying at a public hearing.he focus on the media is justiied by the insight that the media discourse is of crucial importance in order to understand societal discourse.although we live in a functionally diferentiated society, media discourse is a crucial one.It can be said that the media discourse is to mediate between the diferent specialized discourses (Link 2013, p. 11;2006).analyzing mass media is one of the preferred sites for discourse analysts to discover prevailing patterns of argumentation in a society (cf. Fairclough 1995;Meier, Wedl 2014). he main part of the analysis focuses on the presentation of encryption in newspaper.newspapers are a prime site for the analysis, as they present arguments present not in only a specialized ield but make it accessible to a broader audience (schneider 2010; Wessler et al. 2008, p. 26-28).In the newspaper I could detect patterns of argumentation stemming from popular culture or expert discourse (Link 2006).While online sources become more important, traditional newspaper are still a dominant tool for accessing news (nossek, adoni, nimrod 2015).newspaper present the arguments in an accessible way and heir arguments circulate in the broader public.In addition, I also included what I call specialized magazines, written for the general public but tailored to an audience that is interested in information technology.hey thus present encryption as a security technology in accessible terms, but their coverage is oten more detailed than that found in newspaper (e.g.CHIP, ComputerBILD).
To be more precise: I selected articles from June 2012 to June 2016.his included the texts published in two major German newspapers, Süddeutsche Zeitung and Frankfurter Allgemeine Zeitung, the former considered to be the more liberal and the latter the more conservative newspaper.he newspaper and magazine texts were selected with the data-bank, factiva.I did a rough irst analysis of all remaining texts and then selected the texts for a ine-grained analysis.another crucial source involved statements by experts at the hearing 'Digitale agenda' at the German parliament, which took place 7 May 2014.his hearing introduced the main arguments and allowed me to gain access to the debate within Germany.since the experts oten linked technical explanations with political recommendations, it allowed me to have a sense of how experts perceived technology, and how they assessed encryption as a technology.since the statements were quite long (about 10 pages) it allowed me to follow more Pobrane z czasopisma Mediatizations Studies http://mediatization.umcs.plData: 15/09/2023 04:36:43 U M C S complex argumentations and assessments.hese statements also formed part of the public discourse and, because of their length and detailed argumentation, they provided excellent sources for this project.In addition, I added texts by activists, choosing the main actors that are relevant to the debate.In Germany, these were: the Chaos Computer Club, which is not only the biggest hacker organization in europe but also an important voice in the German debate, the activist group netpilots (netzpiloten) and the Crypto Group of the society for Computer science (Fachgruppe Krypto der Gesellschat für Informatik).Politicians are surprisingly silent on the issue in Germany, the only longer statement that I found concerning encryption was a speech by then Interior secretary homas de Maizière.he German BKa and BnD (German Federal Police and German secret service) provided material on their homepage.In sum, I analyzed 51 texts in a ine grained way that allowed me to tease out the assumptions about security and technology underlying these texts.Using ancillary questions, I focused on the depiction of encryption, technology more general, security and the role of the main actors.hese questions focused my analysis and form the base of the results presented below.

Encryption as a Threat and a Means for Protection
When analyzing encryption as a security theme, we can see quite quickly that encryption is perceived both as a threat and as a solution for internet security.encryption is considered to be a means for protection against surveillance, whereas too powerful encryption can also be considered to be detrimental to law-enforcement.his shows that encryption technology only acquires its meaning as a security technology in discourse.In this section, I discuss the diferent positions that encryption occupies in discourse.his serves as a background to understanding the way in which 'security' as a concept is discussed in the discourse on encryption -a topic to which I turn in the next section.
First, encryption is seen as a cause for higher insecurity.his way of presenting encryption is actually well known from the "CryptoWars" that took place in the Us in the 1990s (schulze 2017;Diie, Landau 1998).hese debates revolved around the question to what extent the state should be able to control the implementation of encryption systems (i.e. its key-length or the implementation of backdoors) or whether this would violate privacy rights and actually decrease security by weakening available encryption systems. he state -here the Us state, especially the nsa and the FBIpresented encryption in negative terms.encryption was considered to be harmful since it would prevent lawful interception by law-enforcement (Denning 1996).his same motive can be found in the current debates revolving around encryption (some- times called CryptoWars 2.0, Meinrath, Vitka 2014).schulze in his comparison of the two phases of the debate has shown how similar motives stemming from the 1990s appear again in the post-snowden debates on encryption (schulze 2017).
he theme of encryption as increasing insecurity emerged in the earlier days of the CryptoWars, but can be found today and is also present in the German debates.encryption is depicted as potentially harmful by providing anonymity to criminals and preventing state actors gaining access to data.his theme can be illustrated by the statement by de Maizière at the German-French summit on cybersecurity: "security administration should under strict requirements -constitutional requirements -be allowed and be capable of decrypting encrypted communication if this is necessary for their work and the protection of the population." (de Maizère 2015).
To be clear, de Maizière is keen on emphasizing the importance of privacy and the need for encrypted data for the economy.he quote above is a rare stark statement presenting encryption as a threat for security.For example, actors such as the BnD or the BKa (secret service and federal police of Germany) present the increasing risks through networked technology and thus try to depict a threat-scenario that then makes stronger control of digital communication necessary.To give one example: the BnD starts its discussion on cyber-security with reference to the increasing threat of espionage and the harm this does to the economy.Only in the last paragraph does the BnD state that "[the BnD] has the permission and the technical capabilities for the strategic capture of international data traic" (BnD 2018).his means that the BnD argues for the need to access encrypted information -but does not present encryption as a threat in a straightforward way. he need to have access to all kinds of data traic is linked with a broader concern for security in the networked world (Monsees 2017).hey only implicitly consider too strong encryption that cannot be broken by law-enforcement as a problem.
However, in the German discourse the opposing view is dominant.encryption is perceived as a means for protection and state regulation of encryption is seen as deeply problematic (Monsees 2017).not only is encryption considered to be a corner stone for the security of the economy and especially global inance, it is also seen as an antidote to the ever-present surveillance by the state and global ICT companies.especially ater the snowden revelations, encryption was again discussed in mass media as a possible solution against surveillance.Furthermore, activists supported the spread of encryption sotware in order to strengthen the privacy of citizens.he core threat is here not encryption or espionage but the increasing surveillance by secret services that are "out of control" (as activists present the threat in: neumann 2014, Kurz/Rieger 2013).From this perspective, it is crucial that citizens use encryption in order to be secure from the state.his sentiment comes to the fore in the quote by the activist vollkorn from the Chaos Computer Club, who argues against current actions by the state and its secret services: Pobrane z czasopisma Mediatizations Studies http://mediatization.umcs.plData: 15/09/2023 04:36:43 U M C S man input is crucial.his theme runs through the whole debate: since the technology is so complex and its afect unpredictable, human action is necessary.
But even when emphasizing the role of humans we run into a problem: the knowledge of experts is limited, too.Importantly, these limits are acknowledged by the actors themselves.Consider this quote by an expert speaking in 2014: "even crypto-experts do not know how long the current algorithms will provide protection.[…] herefore, it is necessary to inform oneself about the possibilities of exchange or for upgrades [lit.: upgrade-paths] before one (starts) using an encryption-solution" (Ries 2014).
Uncertainty as a prevailing theme thus also manifests in the depiction of expert knowledge.he value of knowledge for assessing the future is limited.space is opened up for thinking about the role for human action and, with the emphasis on the limited knowledge of experts, where even resorting to specialists is not a straightforward option.Uncertainty thus even covers the limits of knowledge -and not only technology.
his brings us to the third theme: the role of humans.In a context that is characterized by uncertainty and limited knowledge, not only do we need better technological solutions, constant adaptation by humans is also necessary.a technological ix does not by default solve the complex problems.his becomes especially apparent if texts are analyzed that look closer at how encryption works.since encryption relies heavily on mathematics, such a base is crucial for encryption to work. he following quote stems from an article that deals with encryption and internet security published in CHIP, a specialized magazine on IT-issues.Mathematics serves as an indicator for the potency of encryption, but at the same time the article problematizes the technology.
"according to snowden, strong encryption ofers the best tool to protect oneself against global espionage, but in the way the browser and server use HTTPs-connections, the strength of the encryption does not come into play.[…] Furthermore, in PFs the session key is not sent over the internet but computed by every party -this is based on pure maths.If PFs is implemented correctly, both session keys are deleted as soon as the communication ends" (Mandau 2014, my own emphasis).
PFs refers to perfect forward secrecy, a speciic kind of encryption that is supposed to ofer the best security.he emphasis on the strengths of mathematics and the strong capabilities of encryption contrasts its dependency on proper implementation by humans (users) and the technological environment, which needs to work as well.although encryption (and its mathematical base) is assigned strong abilities to increase security, all actors are aware that encryption always relies on implementation by human users.his sentiment is taken up by multiple calls to focus on the education of the user, who needs to become more knowledgeable.horsten schröder a German IT-expert states that "customers must be […] educated" (schröder 2014), and activists groups such as the Chaos Computer Club or the electronic Frontier Foundation have been vocal in trying to educate users about surveillance and the role of encryption in providing better privacy and security.he mathematical parts of encryption are thus Pobrane z czasopisma Mediatizations Studies http://mediatization.umcs.plData: 15/09/2023 04:36:43 U M C S weak if they are not accompanied by knowledgeable users.Complexity thus means also that mathematics, technology and a skilled end-user all have to come together to achieve higher security.
his section showed how security is conceptualized with references to complexity, risk, uncertainty and unpredictability. he analysis revealed that this is the dominant framework for cybersecurity in which encryption is discussed.his shit to a risk-paradigm in connection with highlighting the importance of not only technology but also human actors make certain security measures possible.even though actors disagree about the assessment of encryption for security, a common reference point of complexity and uncertainty make it possible to acknowledge the role of all actors (users, governments, companies) and technology as crucial for security.encryption only works if the technical part is accompanied by skilled users and means that allow the governing of the complexity of networked technology.Measures such as multi-stakeholder approaches or public-private-partnerships are thus more likely to come into being.Understanding that 'security' is not a simple task that can be provided by the state makes it possible to promote alternative modes of governing.

Conclusion: multi-stakeholderism and internet security
his article presented insights into the German public discourse on encryption.Based on a discourse analysis, this article focused on two main themes.I irstly showed the ambiguous role of encryption in the broader security discourse.encryption is presented as both a threat and a solution for more security.encryption is associated with two diferent, opposing meanings in terms of security.While too strong encryption is considered to be an obstacle for law-enforcement, encryption is also presented as the best tool to provide security from the state.
In building on this, I scrutinized what kind of understanding of security underlies the encryption discourse.his understanding of security in terms of uncertainty and incalculable risks is not unique to the cyber discourse.Indeed, scholars of international security have long observed this shit in a variety of ields, such as health, aviation and inancial security (Rasmussen 2001;amoore 2013;elbe 2008;salter 2008).Critical analyses have shown how ideas like the precautionary principle constitute a distinct form of governing security (aradau and Van Munster 2007).In the context of encryption, references to uncertainty make it possible to discuss the role of end users, infrastructure and sotware as part of a complex security landscape.encryption has a crucial role in this network since it is perceived as a crucial technology.
hese insights are not only important for our understanding of encryption as a security issue as such, but they also have political implications.If security is discussed in terms of complexity, uncertainty and unpredictability, then this also has repercussions on what kind of governing practices are considered to be most efective.since cyber security involves all kind of actors, technologies that transgress traditional scales and cause uncertainty then the core challenge is to cope with this complexity.approaches such as multi-stake holderism or public private partnerships become the most plausible governance mechanisms (Hofmann 2016;Carr 2016).hese methods of governing are perceived to be most plausible to account for the unintentional efects of technology, the ambiguous role of encryption and the need to educate the end-user.he presentation of encryption as a security issue in the way that I described above thus makes policy approaches such as multi-stakeholder governance more plausible.although German activists are critical about the role of companies, their insistence on the complexity of the issue plus resentment about the power of state actors (secret services) allow the discursive underpinning of security measures that give power and responsibility to a multiplicity of actors, including companies, end-users, states and nGOs.In line with the discourse theoretical tenets I described above, I am not claiming that the relationship between 'logic or risk' and 'multi-stakeholder governance' is deterministic, and I also do not clam that this is the best (or only) way to think about governing encryption.answering this question would involve discussing who 'we' want to be responsible for increasing security and who will or should be empowered by security measures.his article is just a irst step in tackling these broader questions.

U M C S
. hrough textual analysis one can see which patterns of presenting encryption and security prevail.his allows me to understand which statements were possible to say and which not.Ultimately, I am able to reconstruct what kind of assumptions about security underly the discourse on encryption. a Security technology.notes on the German debate on encryption…