Regulation of encryption by technology firms

Regulation of encryption by technology firms

Legal professional with strong interest in antitrust, strategy and new technology.

Firms like Google, Microsoft and Apple devote a significant amount of resources towards ensuring that the data they store, including the content of messages, is encrypted; the goal being to avoid accusations of invading or failing to protect digital privacy (considered by many to be a fundamental right). One (perhaps unintended) consequence of this is that many criminals and terrorist organizations use well-known communication services, such as WhatsApp, to communicate and conspire with other criminals and terrorists on the basis that law enforcement agencies cannot force technology companies to make their encryption techniques reversible on demand. The increased effort to preserve users’ digital privacy works in a criminal’s favor, who can use encrypted messages to communicate without fear of law enforcement agencies decrypting his messages and using them as evidence against him. There is therefore a strong incentive for governments to regulate the extent to which messages encrypted by technology firms can subsequently be decrypted.

There is a balance to be struck between full encryption (which gives full force to rights of digital privacy) and, on the other hand, a complete ability to decrypt encrypted messages (allowing thorough enforcement of criminal laws). For example, a proposal to require technology firms to encrypt messages and data only to the extent to which they can still decrypt the data upon the presentation of a warrant or otherwise might strike privacy advocates as a false positive: what is the point in encrypting a message in order to protect privacy when the message can be readily decrypted by either the firm or the state? The notion of making encrypted data decryptable is also counterintuitive, since many sophisticated criminals now operate online, stealing both identities and money (McAfee estimates that the cost of cyber-crime was up to $575 billion in 2014). The key argument of tech companies is that allowing “backdoor” access to encrypted data by law enforcement authorities would make it easier for these hacking crimes to take place. As Apple commented to the Wall Street Journal, “We know that criminals will seek out encryption techniques or develop their own, so weakening encryption in consumer devices will only hurt law-abiding citizens who rely on it to protect their data.” Other firms, like Blackberry, are more compliant when it comes to decrypting their data on request by law enforcement authorities.

Another problem with the regulation of encryption is that one state’s rules will not apply to the encryption programs of a firm operating in another state. Tech firms may relocate their headquarters to a country with less regulation of encryption (as the trust of users is critical to the success of any data-intensive technology firm), or, alternatively, criminals using the services of regulated firms may switch to the services of firms located in states with less regulation and higher levels of sophisticated encryption.

A good study for this topic would be a firm like ProtonMail. The firm differentiates itself on the basis that emails handled on its servers are fully-encrypted (“Secure email with absolutely no compromises.”) (a similar app, Signal, exists for private messaging). In contrast to Hotmail and Gmail, ProtonMail uses client-side encryption to protect emails and user data before they are sent to its servers. It is based in Switzerland (outside the EU) and currently has around 500,000 users who do not need to reside in Switzerland to use the service. Other messaging services, such as SnapChat and Telegram, include self-destruct timers (optionally in the latter service) which delete a message permanently after a certain period of time.

The increased awareness of digital privacy rights and the emergence of controversies like revenge-porn have sparked demand for services that allow users to send and receive messages without fear of that data being stored somewhere and coming back to haunt them. Even Google and Apple have now included end-to-end encryption in their smartphone messaging software as a default setting, making it impossible for law enforcement to decrypt the data.

The political emphasis has shifted in recent times from catching criminals to preventing terrorist attacks. In the wake of the attacks in Paris, the FBI ramped up pressure on tech companies to allow law enforcement access to encrypted information if they have a court order. The intention is to direct public opinion in favor of sacrificing secure privacy in the digital age and increasing the regulation of encryption by tech companies. Whether this strikes the right balance between privacy, crime prevention and crime detection is a topic for interesting research.

Further reading:

http://www.wsj.com/articles/fbi-seeks-to-reframe-encryption-debate-1451417252

http://www.wired.com/2016/01/fear-mongering-politicians-will-make-tech-2016s-scapegoat/

http://www.wsj.com/articles/time-for-a-rigorous-national-debate-about-surveillance-1451856106

http://www.economist.com/news/briefing/21679266-how-balance-security-privacy-after-paris-attacks-terrorist-data

http://www.wired.com/2015/12/dead-easy-phone-crypto-app-signal-comes-to-the-desktop/

http://manhattanda.org/da-vance-addresses-6th-annual-financial-crimes-and-cybersecurity-symposium

http://www.apple.com/privacy/government-information-requests/

Data Google Privacy Silicon Valley

Comments