US data access bill represents latest clash in encryption conflict

Tom Wicker

Since the US government took Apple to court over a locked iPhone linked to the San Bernardino shootings in 2015, political ire has intensified. Some politicians have denounced encryption, which protects digital information from being read by third parties, as a shield for terrorists.

The debate was reignited in May when the US Department of Justice (DoJ) broke the encryption of an iPhone belonging to a terrorist who killed three sailors. This followed what the DoJ describes as Apple’s refusal to decrypt the device. Apple, for its part, argues it cooperated with the investigation by providing ‘every piece of information’ it could.

Some commentators accuse politicians of using terrorism as an excuse to exercise greater control over citizens. Responding to the LAED bill, Neema Singh Guliani, Senior Legislative Counsel of the American Civil Liberties Union, expressed her concern that giving agencies like the US DoJ the power to access encrypted data would potentially leave protestors, for example, vulnerable to state interference.

Changing the law in this area could have practical consequences, too.

Aaron Burstein is a partner at Kelley Drye & Warren, with experience in data privacy and security issues. ‘Government agencies have presented a fair amount of evidence that some of their investigations have been stymied by an inability to decrypt material,’ he says. ‘And the possibilities of working around those obstacles are limited, given the strength of encryption currently available and the level of resources it takes.’

Most democratically elected governments can currently apply for a court order to force tech companies to provide them with the digital information they need, on a case-by-case basis. ‘But it can take too much time to obtain a court order during an urgent criminal investigation,’ says Takashi Nakazaki, Vice-Chair of the IBA Data Protection Governance and Privacy Subcommittee and special counsel at Anderson Mori & Tomotsune. He says this is particularly true of Japanese courts.

Enshrining in law a ‘backdoor’ to encrypted data, then, would undoubtedly speed things up in the specific context of law enforcement investigations and prosecutions. While, in Burstein’s view, the LAED bill ‘doesn’t contain a backdoor mandate per se… the question is very much how companies would be able to comply with the orders if they don’t have some sort of access designed into the encryption in their devices.’

But introducing a backdoor brings with it a host of security issues. ‘Strong encryption is what allows us to shop safely online and to make payments through our banks. It’s the kind of thing that keeps people safe from oppressive regimes,’ says Joe Hancock, Head of Cyber at Mishcon de Reya.

Crucially, ‘as soon as you weaken encryption for one, you’ve weakened it for everyone,’ he says. If you introduce a technological backdoor, sophisticated criminals will inevitably find their way in, too. Ransomware attacks on healthcare organisations in recent years are one example of the existing vulnerability of computer systems and software to data breaches.

‘And the people you’ll be left catching will be the naïve criminals who’ve not heard of personal security,’ Hancock adds. ‘The people you want to target will just use stronger encryption outside your control.’ Straight away, ‘these laws won’t really have their intended effect,’ he says. ‘It’ll be like catching just the old, weak and sick.’

There are also likely to be commercial consequences. Takashi Nakazaki highlights the conservatism of tech companies in Japan, many of which are industry leaders. ‘Under the Japanese constitution, privacy of communication is strongly protected,’ he says. ‘They don’t want to disclose data to the public.’ This translates into careful scrutiny of privacy laws elsewhere.

If a country introduces anti-encryption laws, it’s possible that savvy tech companies would steer clear of doing business there. Hancock points to controversial legislation passed in Australia in late 2018. It empowered the police to force companies to create a function enabling them to access encrypted messages without the user’s knowledge. ‘That’s a great way to kill the Australian cybersecurity industry,’ he says.

Aside from anything else, then, changing the law on encryption could have a negative impact on a country’s economy. ‘If the UK or US were to say that every product made there had to allow government access, no one is going to buy anything from their security industries,’ says Hancock.

The police and national intelligence agencies ‘do need to have certain powers you wouldn’t give to every individual,’ believes Hancock. For the detection and prevention of crime, he says, ‘we accept a certain erosion of our civil rights and liberties.’

Sweeping legislation to create digital security backdoors is arguably akin to applying a sledgehammer to a nut, creating multiple areas of risk. It’s also important not to forget – nor forget to examine – the powers that many governments already have in this area. ‘I’m not convinced that changing the technical status quo at this point is necessary,’ says Burstein. He points out that the judge in the San Bernardino litigation did ultimately issue a court order to Apple to assist the US government.

‘We need to work through it politically and societally,’ Hancock reflects. ‘I hear very vocal voices on both extremes. There are probably others we don’t hear from.’

Perhaps there is more work to be done to the house before an overly hasty government opens the backdoor.

Image: eamesBot