This report describes the law of twelve nations and the European Union on whether the government, pursuant to a court order or other government process, can require companies to decrypt encrypted communications or provide the government with the means to do so. Some of the surveys provide additional information on related surveillance issues like the law on monitoring and intercepting communications.
The report finds that while there is a range of approaches among the surveyed countries, a majority make provision for specified intelligence or law enforcement agencies to obtain access to encrypted communications or the means of decryption under certain circumstances.
In France, national intelligence and security services may obtain authorization from the Prime Minister or his delegate, upon the written request of a senior minister, to intercept and read private communications for specifically enumerated purposes, and may request from providers of cryptology services the means to decipher encrypted communications. French law also provides for investigative judges to order the interception, recording, and transcription of private telecommunications in criminal investigations, and law enforcement authorities may obtain authorization to ask any qualified person to perform the technical operations that would allow access to this information.
In Belgium, the intelligence services may obtain authorization from a special independent commission to secretly access, listen to, or recording private communications, and can serve a written demand to the network operator or the service provider for technical assistance; such providers are required to have the technical ability to provide decrypted copies of communications when requested by Belgian intelligence. Also, investigative judges may authorize communication interception operations under certain legally-defined circumstances, and may order anyone who has a particular knowledge of a relevant encryption service to help access communications in a readable format.
Under current law in the UK, specified law enforcement and intelligence officials under certain circumstances may serve written notice on persons or bodies requiring them to disclose encrypted information in intelligible form. A draft revision of the relevant UK law is being considered.
In Australia, under some circumstances, the police may obtain an order from a court requiring certain persons to provide information or assistance to enable the police to unlock a computer or digital storage device that is subject to a warrant, or to provide information on the decryption of data on such a device in order to make it intelligible to the police.
In Japan, law enforcement officials may request the courts to order the decryption of encrypted information during criminal investigations, and courts may also order the decryption of encrypted information during trials.
In South Africa, a law enforcement officer may apply for a “decryption direction” from a court requiring a decryption key holder to disclose the key or provide decryption assistance.
In some countries, such as Canada and Taiwan, the relevant law does not explicitly address decryption, but does provide a framework under which telecommunications companies are required to assist with government surveillance of communications, and the framework would appear to permit orders requiring them to assist with decryption, at least subject to reasonable technological feasibility.
Similarly, in Brazil, while the relevant law does not make direct reference to decryption pursuant to a warrant, the federal telecommunications agency has provided in regulations that communications providers must make available to certain authorities the technological resources and data relating to the suspension of telecommunications confidentiality. Two known cases apparently involving judicial enforcement of decryption orders (albeit subject to judicial secrecy) suggest that companies may be considered obligated to provide decryption assistance to the government.
In Israel, the law does not specifically address orders for decryption. However, encryption activities are regulated and licensed by the Ministry of Defense, and officials of that Ministry may enter any place where an encryption-related activity is being conducted and request information at any time regarding the subject of an encryption license.
In Germany, certain intelligence and law enforcement agencies have authority to access and intercept communications. While they may use whatever technologies they have at their disposal to unlock encrypted communications, and they may demand telecommunications providers to remove encryption put in place by such providers, there is no legal basis in Germany to compel end users to turn over encryption keys they have used, on the principle that suspects cannot be compelled to cooperate in investigations that would incriminate themselves.
Under current Swedish law, it appears unlikely that a Swedish court would force an ISP, encryption firm, or other entity to decrypt data, because warrants must satisfy a proportionality test, and an order of decryption would not likely be considered proportional. There have been some calls and proposals for legislative changes.
At the European Union level, there is no EU legislation that requires tech companies to disclose the keys to encrypted materials to law enforcement authorities, or to decrypt communications upon the request of a government. Relevant agencies on cybersecurity, organized crime, and terrorism have not reached a uniform position on this issue.
Prepared by Luis Acosta
Chief Foreign, Comparative, and
International Law Division II
Last Updated: 10/01/2016