|Privacy, Data Protection and Security|
|Monday, 04 April 2016 14:56|
By: Arthur M. Freyre
The House Judiciary Committee, prior to the Easter recess, announced that they are forming a working group to further investigate encryption issues and the challenges they may pose on law enforcement’s ability to protect the American people. The formation of this group is an encouraging start in finding an adequate balance between innovation and security but how they will go about addressing the encryption debate is one that needs to be seen. This latest move by the House Committee follows not only the FBI-Apple debate but also the introduction of various bills to State legislations that would require all smartphones manufactured and sold to be decryptable.
As I have written in the past, a balanced approach between privacy interests and national security interests is critical in developing successful policies. Should compromise become one sided, making it “either…or” in terms of interest, i.e. either a privacy issue or a national security issue, then the resolution to this debate becomes more difficult to find.
In March, Representative Trey Gowdy questioned Bruce Sewell, the General Counsel and Senior Vice President of Legal & Global Security for Apple, during a House Judiciary Committee hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy”. The focus of the hearing was to examine the present issues which law enforcement faces in protecting the public should encryption technology be used for harmful purposes. An issue that has been highlighted by the FBI-Apple debate.
When addressing encryption, the working group should accept the following parameters:
Encryption technology is and continues to evolve. The rapid innovation in the technology sector is blatant. Any legislation that fails to take this into account will make the legislation obsolete, because the technology would have outpaced what the legislation intended to address. Instead of creating regulations based on current technology, Congress should take the regulatory humility approach . For more on regulatory humility see here.
Encryption is a business necessity. As we become more dependent on technology, we increase availability of potential targets for hackers. The encryption of personal information is one defense that an individual would have against hackers. The ability to protect private information will become necessary for average consumers forcing encryption software and technology to provide affordable options for the general public. Cybersecurity will no longer be considered a luxury. Any pending legislation that does not accept this fact will thwart the availability of defense against hackers to the general population.
The procedures for obtaining encrypted data requires trust. This is the proverbial elephant in the room. Here the Congress needs to address two issues; accountability and consequences. Despite the National Security Agency’s assurances that they are not monitoring US citizens, there is still a lingering doubt stemming from the Snowden disclosures. Any federal legislation that allows an agent of the US Government to have access to a persons encrypted texts or emails without proper vetting is highly suspicious. By proper vetting, I am referring to a strong legal standard that a government agency would need to show to the court in order to decrypt information. Obviously, a warrant is necessary. This vetting standard must take into account the balance of the two interests-privacy and national security.
The second issue of equal importance regards accountability. What would happen to an agent or agency that abuses power by accessing information without viable reason? History tells us that Presidents have used government agencies to go after enemies of the State. Acceptable encryption legislation that can be trusted by the public must include actual and tangible consequences for those who abuse such privileges.