Full Report
Restricting end-to-end encryption on a single-country basis would not only be absurdly difficult to enforce, but it would also fail to deter criminal activity
Analysis Summary
# Main Topic
The inherent difficulty and ineffectiveness of enforcing national restrictions or bans on end-to-end encryption (E2EE) on a single-country basis, as such measures are logistically unfeasible and easily circumvented by malicious actors.
## Key Points
- Restricting E2EE nationally is deemed absurdly difficult to enforce, particularly concerning visitors from other jurisdictions.
- The proposed enforcement mechanism—potentially requiring device scanning at borders ("device immigration")—is logistically impossible and would cause massive disruption.
- Tech companies, such as Apple and WhatsApp, maintain a strong stance against creating backdoors or master keys for government access, citing fundamental privacy and security concerns.
- Technical implementations based on 'country and region' settings (like Apple's Advanced Data Protection removal in the UK) are easily bypassed by simply changing account settings, immediately re-enabling E2EE features.
- Such localized restrictions disproportionately affect law-abiding residents while failing to deter criminals operating internationally or those adept at simple setting changes.
## Threat Actors
Threat actors pursuing criminal activity (terrorism, child sex abuse, etc.) are identified not by specific hacking groups, but as entities seeking to maintain encryption for illicit purposes.
- **Criminal Intent Users:** Individuals who desire strong encryption to intentionally bypass national surveillance laws.
## TTPs
The primary focus is on circumvention techniques rather than traditional offensive TTPs.
- **Jurisdictional Evasion:** Altering the device's 'country and region' settings within application ecosystems to retain access to E2EE features banned or restricted in their physical location.
- **Multi-Device Usage:** Utilizing multiple devices configured for different jurisdictions to maintain encrypted communications avenues.
- **Service Persistence:** Continued use of E2EE services legally available outside the restricting country, or finding alternative, stronger security solutions.
## Affected Systems
- **End-to-End Encrypted Services:** Specifically mentioned are Apple's Advanced Data Protection (ADP) and WhatsApp.
- **Devices:** Smartphones and other devices capable of storing and transmitting encrypted data.
- **Victims/Targeted Users:** Law-abiding residents of countries attempting to enforce these restrictions, as criminals easily evade the controls.
## Mitigations
The suggested mitigation focuses on policy and legal frameworks rather than purely technical defense against the E2EE restriction itself.
- **No Backdoors:** Tech companies should continue to uphold principles against building backdoors into encryption services.
- **Alternative Legal Access:** Support a system where law enforcement accesses data through legally sound methods, specifically court warrants, backed by robust oversight mechanisms, rather than mandated weakness in encryption.
- **Policy Enforcement:** Recognize the logistical failure of border-based scanning and jurisdiction-based setting enforcement.
## Conclusion
The policy goal of restricting E2EE on a single-country basis is fundamentally flawed due to insurmountable enforcement complexity and trivial bypass methods available to those with criminal intent. This approach risks weakening security for all users without achieving effective deterrence against serious crime. Law enforcement access should be pursued via warrant-backed legal mechanisms that respect strong encryption standards, rather than undermining global security infrastructure.