Encryption Whiplash

Many consumers want their personal information and private communications to remain private.  Directives from the Federal Trade Commission (FTC) and the California Attorney General insist that consumers’ personal information remain private – even encouraging app developers to encrypt information so it is inaccessible to hackers and data thieves.

But the Federal Bureau of Investigation (FBI) and national security agencies want a back door to our phones so they can access everyone’s information if and when they choose for law enforcement and anti-terrorism work. They really don’t want networks and device manufacturers to encrypt information because that makes it harder to access. And while they haven’t announced it yet it seems likely that these same federal agencies also want a back door to every app and to your in-home network.

What is an app developer to do? And how are Congress and the courts, and our international trading partners, going to manage this challenge?

For 20 years traditional telephone companies, and more recently broadband networks, have been on the front lines of balancing consumer privacy interests and law enforcement interests.  Congress mandated law enforcement guaranteed access to phone company networks, but made that access subject to court review. Law enforcement would request court approval for information and telephone companies would provide the requested information after the appropriate legal process was satisfied.

But traditional phone companies are no longer necessarily Americans’ standard means of communicating.   Consumers are increasingly transitioning from voice calling to messaging, emailing, and in-app communication.  This complicates law enforcement and national security agency data requests.  It also implicates personal privacy, consumer expectations, economics, law enforcement and safety.

New statements by law enforcement are reminiscent of those used to justify requirements in the Communications Assistance to Law Enforcement Act or CALEA. CALEA is a law that originally granted the ability of law enforcement to wiretap digital telephone networks by mandating that telecom companies be prepared, technologically, to facilitate sharing of information with government agencies.  It was expanded in 2004 to require that law enforcement be provided the ability to monitor VoIP and broadband — so that they could monitor Web traffic too.

Under CALEA, law enforcement won legal mandates that required companies to build a back door into their business so that government could access data about consumers. These requirements were incredibly disruptive for tech companies.  Now it seems there is once again a push to expand the type and number of companies that would have to build systems to facilitate government access.

This is inconsistent with what other government experts are suggesting app developers do, however.  In the wake of the Snowden revelations, the President’s own experts, the Group on Intelligence and Communications Technologies, said in their final recommendations to the President, "The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.” (Source: Liberty and Security in a Changing World, Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies (Page 22) http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf )

The Federal Trade Commission’s website similarly advises mobile developers, “If your app handles personal information, consider protecting or obscuring the data — for example, by using encryption.” (Source: http://www.business.ftc.gov/documents/bus83-mobile-app-developers-start-security)

These types of instructions have companies moving forward on research and development, new products and services and apps in a way that provides greater encryption and consumer protections. Now law enforcement is saying they need even more data.

App developers, like anyone innovating a new product, have large startup costs to overcome before their product even makes it to market and any inconsistency of government requirements is one burden too many for them to prevail.

It’s this kind of inconsistency over security features as Attorney General Eric Holder and FBI Director James Comey are pushing against end-to-end encryption - an idea running counter to both White House and FTC instructions to tech companies and app developers - that is bad for innovation, the economy and developers.

Apps developers that are creating jobs and growing the economy cannot be whipsawed by federal agencies telling them to do one thing and then others complaining when they follow those directions. Innovation and economic drivers need consistency from government agencies to research and develop, create products and jobs and grow the economy. We are in favor of safety and innovation and believe we can have both with solid encryption and cooperation.

Posted By: 

Tim Sparapani 

VP of Law, Policy, and Government Relations