Thursday 6 August 2015

Just Say No to Civil Liability for Encryption Providers

Last Thursday, Lawfare posted an article so controversial that Edward Snowden was among the digital privacy advocates to speak out in opposition.

Lawfare, Apple, Encryption, Civil Liability, Edward Snowden
In “Civil Liability for End-to-End Encryption: Threat or Fantasy?” legal experts Benjamin Wittes and Zoe Bedell attempted to objectively determine whether a company such as Apple could be held liable if its encrypted communications were utilized in carrying out a terrorist attack or crime.

The conclusion of their two-part article was murky at best: “The irony is that the logical consequence of this analysis is not necessarily that Apple should design its systems so as to facilitate law enforcement access to encrypted communications when presented with a warrant. It may well be, rather, that it should deny service to individuals once it has been put on notice that the government has probable cause that those individuals are engaged in criminal or terrorist activity. That presents a weird kind of due process issue, of course. Those individuals have not yet been charged with any crime. Some may be innocent. And from the Bureau’s point of view, cutting off service may be the last thing investigators want, as it would tip off the suspect that his activity had been noticed. 

“All that said, it’s a bit of a puzzle how a company that knowingly provides encrypted communications services to a specific person identified to it as engaged in terrorist activity escapes liability if and when that person then kills an American in a terrorist incident that relies on that encryption.”

The article was met immediately with harsh criticism from the privacy community, whose tweets accused the authors of everything from “expressly threatening Apple w/terrorism prosecution” to continuing a “braindead jihad against encryption.” Wittes and Bedell posted a second article later that day, insisting that as an encryption agnostic and a backdoor skeptic, respectively, their point had been missed.

If Wittes and Bedell were surprised by the pushback, they shouldn’t have been. The Electronic Frontier Foundation recently declared the Crypto Wars a global phenomenon, citing proposed and passed legislation in the United States, United Kingdom, Netherlands and Australia as evidence. The privacy community recognizes that the world is engaged in a real, immediately impactful debate about the necessity of government backdoors; rather than let an arbitrary inquiry into a hypothetical situation be interpreted as a reason to compromise Apple’s—and everyone’s—encryption, they spoke out.

The concern about the implications of the article was so great that the Intercept even reached out to Edward Snowden for a response. Snowden took advantage of the opportunity to remind Wittes and Bedell that encryption cannot be reduced to a domestic issue:

“The central problem with insecurity mandates has never been addressed by its proponents: if one government can demand access to private communications, all governments can. No matter how good the reason, if the U.S. sets the precedent that Apple has to compromise the security of a customer in response to a piece of government paper, what can they do when the government is China and the customer is the Dalai Lama?”

In solidarity with privacy advocates everywhere, SumRando's founder concurred that “encryption—integral to the security SumRando users rely on—is currently our strongest tool in the fight against unwarranted surveillance and in support of a right to privacy. It is impossible to ignore that people from all walks of life, from around the globe, knowingly or passively, depend on this technology to maintain their online safety."

In Part One of their article, Wittes and Bedell wisely concluded that Apple’s hypothetical liability could simply come down to the “zeitgeist of the moment.” As such, the privacy community has reminded the authors that majority opinion finds no rational, logical or objective argument for holding Apple liable for a crime committed using its encrypted communications.

No comments:

Post a Comment