In July of 2019, Attorney General (AG) William P. Barr made several public statements urging tech companies, in particular those that provide messaging services, to install or implement “backdoors” into their products. In other words, AG Barr requested that these companies provide the federal government with access to encrypted messages and information that the companies themselves would otherwise be unable to access. During his speech, AG Barr argued that without this access, law enforcement would be unable to do its job effectively. Moreover, AG Barr noted his frustration with the tech industry and emphasized that if companies like Facebook and Google did not start to provide government access, he would engage Congress to produce legislative measures mandating law enforcement backdoors.
Following his July statement, AG Barr pivoted from his work concerning encrypted data and entered into the first ever bilateral data access agreement with the United Kingdom’s Home Secretary, Priti Patel. This U.S.-U.K. agreement is a result of the Clarifying Lawful Overseas Use of Data (CLOUD) Act agreement, which Congress enacted last year to address situations where law enforcement agencies conduct investigations that cross international borders and create legal challenges. These investigations often involve requests for communications pertaining to citizens of multiple countries. Those communications may be stored overseas or in multiple physical locations, a common arrangement in today’s cloud computing environment. In these circumstances, the laws of multiple jurisdictions come into play and sometimes even conflict.
The CLOUD Act addresses the legal complications surrounding cross-border investigations by authorizing the U.S. government to enter into bilateral agreements with foreign governments to create processes for agencies—as well as the companies that receive investigative requests—to follow that are consistent with the due process and privacy rights that citizens of a given country enjoy. The U.S.-U.K. agreement should serve as a template for future discussions between nations wishing to implement subsequent CLOUD Act agreements with the United States. Under the terms of the agreement, American companies must respond to valid British government requests for text messages, emails, and other forms of electronic communication when such correspondence pertains to “serious crimes” and where the investigation target is not a U.S. person; and British companies must respond to similar requests from the U.S. government, where the investigation target is not a British person. Accordingly, the citizenship of the target of an investigation determines which country may directly request correspondence.
Notably, the CLOUD Act removes the blanket prohibition on U.S. communications providers cooperating with a foreign investigation, but only where the United States has a CLOUD Act agreement with that country and where the investigation does not target a U.S. person. ACT | The App Association supports these improvements, and we are optimistic that similar agreements will ensue as a result of the U.S.-U.K. leadership.
But What Does This Mean for Encryption?
While this agreement marks a historically significant moment in cross-border investigations, it should not give commentators, political pundits, and policymakers the opportunity to influence bad policy when it comes to the protection of encrypted data and consumer privacy. Following the media attention from the bilateral agreement many spectators were quick to point out the issue of encrypted data—in serious crime investigations—has yet to be resolved, causing some to believe that the U.S.-U.K. agreement itself included a provision that weakens encryption. Contrary to these beliefs, the U.S.-U.K. agreement actually clarifies that it does not require companies to maintain an encryption backdoor for law enforcement.
Nonetheless, AG Barr, Home Secretary Patel, and Australian Home Affairs Minister Peter Dutton reignited the encryption debate by collectively issuing a letter declaring their joint opposition to Facebook’s recent proposal to enact end-to-end encryption for all of their platforms. Specifically, the letter highlighted how such a proposal would hinder the ability of law enforcement to decrypt or access any electronic message sent by any Facebook user. The language of the letter urged Facebook, along with other messaging providers using or considering encryption, to reconsider its position that the needs of law enforcement cannot be reconciled with consumer privacy. The three leaders insisted that a government loophole to access encrypted data would not violate consumer privacy since it will only be utilized by law enforcement and under the legal constraints of a warrant. However, what this letter failed to address is bad actors also being about to use this loophole for their own agenda.
The App Association recognizes the U.S. government’s incredibly difficult task of balancing safety and security with the property and privacy rights of millions of consumers. But a resolution is impossible without understanding the implications of creating a law enforcement loophole.
First, there is widespread concern that by creating a backdoor for encrypted data both good and bad actors will have access to users’ communications and personal information. This leaves consumers at risk to cybersecurity attacks and data breaches, like the Equifax breach, which greatly impact consumers’ lives in the present and future. To make matters worse, if U.S. companies are subject to mandated backdoors, U.S. products will suffer on the international market due to their lack of completely encrypted security measures, which would severely wound the U.S. economy.
Second, the government may not recognize the burdensome costs associated with backdoor requirements for both large and small companies to create these loopholes. For example, every time a tech company creates a new product, they will have to create a new key for government access and assess further security measures to protect their customers. Thus, when government says that safety of the public is a top priority, the tech community agrees, but there has to be a way to preserve the privacy and security of millions while still being able to carry out a thorough investigation under the law.
What Comes Next?
AG Barr and the Department of Justice (DOJ) team made it clear through recent remarks and their warrant-compatible encryption conference that encryption and data accessibility for law enforcement purposes are top priorities for this administration. Even though the DOJ asserts that law enforcement backdoors are the only way to access encrypted data, there are alternatives solutions for retrieving this information. For example, the DOJ and other law enforcement agencies have the ability to allocate resources to decryption and hacking personnel and resources. By investing in such tools, the U.S. government will be able to resolve concerns surrounding access to encrypted data, while allowing tech-driven industries to continue to innovate and compete in the global IT market. Further, collaboration amongst government agencies may also allow for more opportunities to develop methods of access to encrypted data in future technologies.
Research has shown that the inability for investigators to find unencrypted data relevant to an investigation and obtain it in a usable format is more of a problem for investigators than the unavailability of data due to encryption. To help address this larger problem, the federal National Domestic Communications Assistance Center (NDCAC) provides assistance to local and state law enforcement agencies as they seek digital evidence from private sector companies. Additionally, these organizations also provide training programs and assistance manuals for law enforcement investigators. These tools help law enforcement understand which kinds of data are most useful for a given investigation and provide guidance on how to interpret the data they uncover. Therefore, to address this problem, AG Barr and his counterparts in the U.K. and Australia should begin with education between companies and agencies—instead of weakening privacy protective measures like encryption.