But Is Anyone?
This article originally appeared in Westlaw Journal Software Law. By Randall Samborn and Samantha Kruse.
Microsoft Corp. and dozens of technology companies, trade groups and privacy advocates are hailing the recent July 14 ruling by a federal appeals court that rejected the government’s use of a domestic search warrant to access customer email content stored outside the United States. But their collective sigh of relief is likely to be relatively short-lived, as it should be.
This 3-year-old dispute over a 30-year-old statute is just the latest watershed in the faceoff that erupted earlier this year when Apple Inc. and the FBI clashed over access to the San Bernardino, California, shooter’s iPhone.
The privacy of electronically stored communications is gaining increased scrutiny following additional episodes of terrorism and violence in Orlando, Florida, Dallas and elsewhere, and pressure is building in Congress to adopt legislative remedies on several technology fronts, including the escalating battle over encryption.
In Microsoft, the 2nd U.S. Circuit Court of Appeals said:
When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st-century demands for access and speed and their related, evolving expectations of privacy.
The lower court had issued a U.S. search warrant to the Justice Department for Microsoft’s stored data in Ireland upon finding the high standard of probable cause that the email content being sought would yield evidence of narcotics trafficking.
In quashing the warrant, the appeals court ruled, under the Stored Communications Act, that the illegal extraterritorial invasion of privacy occurs where the stored data are located, not where the individual whose privacy rights are at stake resides. Here, the data were stored in Ireland and the trial judge had no authority to issue the extraterritorial warrant for that information under the Stored Communications Act.
But, in other instances, should this result thwart the legitimate needs of government law enforcement agencies to effectively conduct global investigations that threaten the homeland and our national security?
While the Justice Department considers such options as seeking en banc or U.S. Supreme Court review, Microsoft President Brad Smith declared that the decision “ensures that people’s privacy rights are protected by the law of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”
On the latter point, we applaud his recognition that better solutions are needed. The standoff between technology companies and government must not only be de-escalated, but the two should seek to work cooperatively to ensure privacy rights are respected and adequately protected, while law enforcement has the same adroit access and ability to fight crime across new technology platforms that criminals have to wage it.
The government’s alternative of seeking content stored overseas through other means, such as mutual legal assistance treaties, is inadequate to provide the rapid production that nimble national security protection requires.
Indeed, much attention is being focused on U.S. Circuit Judge Gerard Lynch’s concurring opinion, which he wrote partly “to emphasize the need for congressional action to revise a badly outdated statute.”
A bipartisan group of senators in May proposed the International Communications Privacy Act, which is unlikely to be passed this year. The law would allow use of domestic search warrants to retrieve electronic communications of U.S. citizens, permanent residents and some foreign nationals, wherever the individuals and content are located. This borderless approach is far more reflective of the global digital world today than when the Stored Communications Act was enacted with a nascent internet in 1986.
While the major service providers and other technology companies tussle with the conflicting ramifications of storing customer content domestically or abroad, data security remains at the forefront of corporate risk management planning.
Encryption, one of the most effective means of achieving data security, is the translation of data into a secret code. Only a person or a device with the correct decryption key is able to decode the message. End-to-end encryption goes a step further, so that no outside sources can access the keys needed to unlock the data.
At its root, the debate over information privacy vs. government access revolves around two factors alluded to above: how, and perhaps more importantly, whether, the private and public sectors can work together to maximize information security.
There is good reason why law enforcement is pushing hard to ensure that it has agile access to vital evidence in a world that is increasingly reliant on digital communications and e-commerce.
In the omnipresent digital space, emails, texts, other forms of message sharing (some self- disappearing) and electronic logs form a critical piece of the puzzle. Law enforcement agencies are taking encryption into account as they grapple with how to best address acute and ever- changing threats.
TECH GIANTS, NATIONAL SECURITY AND CELLULAR DATA, OH MY!
In February, Apple CEO Tim Cook wrote customers an open letter about the need for encryption and the threat of government overreach. Cook’s letter was transparent and responsive, encouraging other tech giants to take an assertive stance on stronger encryption.
Facebook and Google both responded positively following Apple’s public response to the FBI’s request that the Cupertino, California-based company unlock the San Bernardino shooter’s phone to aid in the investigation. Other companies have been falling in line.
Mozilla recently launched a platform called Codemoji to help users learn about the value of encryption.
“When more people understand how encryption works and why it’s important to them, more people can stand up for encryption when it matters most,” Mozilla executive director Mark Surman said in a June 29 interview with ZDNet.
While policymakers remain divided about encryption, private sector data security and technology specialists are clearly taking a stand and encouraging users to do the same.
The slow drumbeat of the encryption debate has escalated into a deafening drumroll of late. Lawmakers, law enforcement officials, chief executives and technology policy mavens continue to argue over whose end goal is more important or whether there is room for compromise.
The fight over access to information is age-old; it pits law enforcement agencies against many individuals concerned about the increasingly intrusive surveillance techniques of the intelligence community. (This is no longer a simple waiting game about whether Detective Jimmy McNulty is going to get a wiretap on Angelo Barksdale’s burner phone and make a drug bust on a Baltimore corner like what happened in HBO’s The Wire.)
While the government was able to walk away from its court battles with Apple in the San Bernardino case and a subsequent case in New York, the larger encryption debate forges ahead.
The Orlando nightclub massacre and fatal ambushes of police in Dallas and Baton Rouge, Louisiana, rekindled the encryption issue.
The FBI and other law enforcement agencies demonstrably need to access the killers’ digital communications and electronic records to fully investigate and understand their motives, preparation and whether they had any assistance.
As a nation, we must search for ways for public and private sector entities to appease both ends of the spectrum: the need for public safety and international security vs. the expectation of privacy in our most personal information. Furthermore, can government officials agree among themselves whether unbreakable encryption is a threat or a bene t to American citizens?
INDUSTRY, POLICYMAKERS SEEK SOLUTIONS
Everyday consumer practices like e-commerce cannot exist without sufficient encryption. But, as foreign and domestic threats become more and more sophisticated, is a ban on encryption necessary for national security?
The House of Representatives’ Homeland Security Committee released a report in late June that, despite its flaws, broadened the discussion of encryption. The report defines encryption as the process of limiting access to data using codes or algorithms that make the data unintelligible to unauthorized readers.
As such, the financial industry would not be able to support online banking services for its customers without the encryption market. This is not cut-and-dried enough to make this an easy scenario for policymakers. The biggest takeaway from the report may, in fact, be that the encryption debate is nowhere near over.
Encryption is not the ultimate solution to all of our national or international security concerns. But what is? As with many policy decisions, there are three cards on the table: a ban on encryption; a mandate for security backdoors at a national level and/or the creation of an encryption commission built to forge the middle road and include all stakeholders, as proposed by Homeland Security Committee Chairman Michael McCaul, R-Texas.
If government and law enforcement officials were to gain unlimited access to attacker’ phones, we might not inherently be able to understand terrorists’ plots and their evasion of detection. It would, however, serve a vital role in any comprehensive investigation, just as so-called citizen journalism in the form of cellphone videos and social media posts played a critical role in the investigations of the Dallas police murders and the deaths of Alton Sterling and Philando Castile while detained by police officers.
Though there are valid competing principles, national security and public safety have to be given more weight in this ongoing debate. Revealing, and troubling, was the congressional testimony in April of Amy Hess, the FBI’s executive assistant director for science and technology, who acknowledged the FBI’s lack of resources to solve the encryption problem. Since her testimony,
CIA Director John Brennan has also reiterated the importance of government collaboration with the private sector.
Of course, there will be trade-offs on both sides, but the chances of getting an anti-encryption law passed appear bleak. In June the Senate blocked the National Security Letter Amendment, which would have given the FBI the power to acquire internet records without a court order, including browser histories, email metadata and text messaging logs.
NEW FRONTIERS AND WHAT’S NEXT FOR ENCRYPTION?
Notably, technological advancements and how law enforcement employs that technology are not always aligned. The next crypto war frontier is mobile applications. WhatsApp, a mobile messaging app, and others have historically utilized data encryption that prevents anything shared over the platform from being read by the company itself, let alone intruders.
Most recently, Facebook has gone so far as to introduce end-to-end encryption in its mobile messaging app in response to consumer demand for secure communications and to compete with services like WhatsApp.
So, how do we tackle this policy dilemma and address the concerns of all stakeholders? In a report on encryption released in March, the Information Technology & Innovation Foundation, a think tank focused on the host of critical issues at the intersection of technological innovation and public policy, suggested that the National Security Agency should always report discovered security flaws to developers so that companies can fix the flaws.
In addition, Congress should help state and local law enforcement strengthen cybersecurity forensics expertise, both via monetary support and training. Moreover, the U.S. government and private sector should fortify information security standards domestically with the ultimate goal of improving cybersecurity standards worldwide. The cooperation of the private sector and government data security experts is essential in identifying vulnerabilities through ethical hacking operations and creating legal access solutions.
This article, similar to the House Homeland Security Committee’s report, does not purport to offer a solution or put a bow on the crypto war. In today’s digital world, we must find a way to allow law enforcement to effectively do its job and protect the homeland but also to maintain trust between citizens, government and private enterprises that house customers’ confidential information.
Why not bring together a commission to advocate for better cybersecurity practices domestically and abroad? Real change cannot come about until the public and private sectors work together on encryption and enact new legislation that addresses our evolving digital world.
Collaboration across sectors may lead to the development of encryption software restrictions that aid in efforts to uncover illicit information. Ultimately, as a society, we should be able to simultaneously prioritize public safety and information security.