Over a year after the FBI's much-publicized struggle to access an encrypted iPhone, the debate around whether private technology companies should build in "backdoor" access for government authorities continues. Many companies that offer electronic communication services say absolute, unbreakable encryption is a necessary consumer cybersecurity protection. But for law enforcement officials, it is an excessive barrier to lawful investigations.
Despite all the attention the debate has received, it is nowhere near resolution in the United States, where many of the world's largest and most influential technology companies reside. And some believe that the slow pace to address this challenge in the United States may be intentional.
At the Aspen Security Forum in late July 2017, the acting assistant attorney general of the National Security Division, Dana Boente, hinted that the United States may wait to see how this debate evolves with nations across the Atlantic before offering its own solution.
"The terrorism challenges in Europe are really kind of tough, and they may lead the way and carry some of our water on this," Boente said.
For some in the encryption debate, Boente's comments were overly optimistic. But for others, they were telling, underscoring the expectation that many European nations will take a hardline position on encryption policy, and thereby make it easier for other countries like the United States to do the same.
Kendall Burman, cybersecurity and data privacy counsel at Mayer Brown, explained at the forum that as many technology companies sell their devices or applications in multiple countries, a shift in encryption policy from an economically powerful region will inevitably create a worldwide market standard for such products.
"If one country in Europe or if the EU makes certain moves in encryption, you have the reality that it's going to force companies to comply with that law," she said.
Burman described this as a "business reality," noting that it is not cost-effective for companies to make different versions of their products with different encryption features, such as built-in backdoors, to sell in different jurisdictions around the world.
But while a distinct possibility, Michael Vatis, partner at Steptoe & Johnson LLP, believes that such a market-driven encryption change is a far-off scenario given the trouble European nations are having agreeing on encryption policy in the first place.
"I would say [that Europe is] struggling with this encryption problem as much as the U.S. government is struggling with it," he said at the forum. "While some countries have proposed certain things to try to ensure lawful access by law enforcement agencies to encrypted commutations, I don't think anybody in Europe has come up with a solution to the problem yet."
Indeed, there have been sharp differences between European countries in this area. The national governments of the U.K ., Germany and France have expressed a desire to break absolute encryption with the use of backdoors.
But the European Parliament's Committee on Civil Liberties, Justice and Home Affairs has taken the opposite position, recently releasing a proposal that would bar EU member states from actions "that would result in the weakening of the security and encryption" of electronic communication providers.
Such disagreements in encryption policy, however, strike some as superficial. Jacob Ginsberg, senior director at email encryption and security firm Echoworx, noted at the forum that many Europe nations are already tipping the scales by passing legislation that favors security over privacy.
As an example, he pointed to the U.K.'s Investigatory Powers Act 2016 , which, among other things, requires "communication service providers" to retain internet users' information for one year for possible law enforcement review, and enables authorities to intercept and hack into suspected electronic devices. Germany also recently passed a law that enables law enforcement authorities to install software on users' devices to effectively access and spy on their encrypted communications.
Ginsberg said that these moves only further establish pro-surveillance laws and activities as acceptable in society. "I think what was happening in the U.K. and across some other countries in the EU is normalizing this kind of behavior and making it more and more an attractive prospect, and a doable kind of option for any other administrations around the world."
Daren Glenister, chief technology officer at mobile solution provider Synchronoss, however, noted that security measures like those enacted in Germany and the U.K. may have the opposite effect, essentially forcing tech companies to take an even harder pro-privacy stance.
"Allowing nation-states to hack devices will only force vendors to strengthen their security posture," he said. "This will become a death spiral as customers demand stricter security controls from vendors to protect their critical data from government oversight."
Glenister added the debate will likely not be solved by policymakers, but by technology companies themselves. "Ultimately, the security versus privacy debate will balance out, and the best solution will be a technology solution. I don't know what that solution is, but I do know advances in encryption and cryptography will win over legal measures alone."
Reprinted with permission from the August 7, 2017 edition of Legaltech News © 2017 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.