Author: Poblete Tamargo LLP

As I have written in the past, a balanced approach between privacy interests and national security interests is critical in developing successful policies. Should compromise become one sided, making it  “either…or” in terms of interest, i.e. either a privacy issue or a national security issue, then the resolution to this debate becomes more difficult to find.

In March, Representative Trey Gowdy questioned Bruce Sewell, the General Counsel and Senior Vice President of Legal & Global Security for Apple, during a House Judiciary Committee hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy”. The focus of the hearing was to examine the present issues which law enforcement faces in protecting the public should encryption technology be used for harmful purposes. An issue that has been highlighted by the FBI-Apple debate.

When addressing encryption, the working group should accept the following parameters:

• Encryption technology is evolving.
• Encryption technology is a necessity for businesses since companies of all sizes will become suspect to hackers.
• The procedures to request encryption data must consist of vetting. This will require trust, a perception that many believe the Federal government is unworthy of.

Encryption technology is and continues to evolve. The rapid innovation in the technology sector is blatant. Any legislation that fails to take this into account will make the legislation obsolete, because the technology would have outpaced what the legislation intended to address. Instead of creating regulations based on current technology, Congress should take the regulatory humility approach . For more on regulatory humility see here.

Encryption is a business necessity. As we become more dependent on technology, we increase availability of potential targets for hackers. The encryption of personal information is one defense that an individual would have against hackers. The ability to protect private information will become necessary for average consumers forcing encryption software and technology to provide affordable options for the general public. Cybersecurity will no longer be considered a luxury. Any pending legislation that does not accept this fact will thwart the availability of defense against hackers to the general population.

The procedures for obtaining encrypted data requires trust. This is the proverbial elephant in the room. Here the Congress needs to address two issues; accountability and consequences. Despite the National Security Agency’s assurances that they are not monitoring US citizens, there is still a lingering doubt stemming from the Snowden disclosures. Any federal legislation that allows an agent of the US Government to have access to a persons encrypted texts or emails without proper vetting is highly suspicious. By proper vetting, I am referring to a strong legal standard that a government agency would need to show to the court in order to decrypt information. Obviously, a warrant is necessary. This vetting standard must take into account the balance of the two interests-privacy and national security.

The second issue of equal importance regards accountability. What would happen to an agent or agency that abuses power by accessing information without viable reason? History tells us that Presidents have used government agencies to go after enemies of the State. Acceptable encryption legislation that can be trusted by the public must include actual and tangible consequences for those who abuse such privileges.

The order calls for Apple to provide “reasonable technical assistance.”  Reasonable technical assistance is defined by the following:[i]

• “…Bypass or disable the auto-erase function…”
• “Enable the FBI to submit passcodes to the [iPhone] for testing electronically; and
• “Ensure that when the FBI submits passcodes to the [iPhone] software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.”

The order does state that Apple would need to develop a “software image file” (SIF) that is “coded with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE”, (i.e. the phone in question).

FBI Director James Corney released a statement on February 21, stating, “The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly.”[ii] Public opinion seems to be in supportive of this view as seen in a recent poll conducted by SurveyMonkey with 51% in agreement with the FBI.[iii]

Apple, however, claims that the FBI through this order is calling “…[for] a new version of the iPhone operating system, circumventing several important security features and install it on an iPhone recovered during the investigation. In the wrong hands this software, which does not exist today, would have the potential to unlock any iPhone in someone’s physical possession.”[iv] 

Apple and its supporters argue that this would not only weaken Apple’s encryption codes, but will also create precedent for other foreign governments such as China, Iran, and others to force companies to develop or provide that same key. Both sides have legitimate concerns, however, both sides need to have an honest assessment of the world around them. Apple needs to recognize that this matter is not just a criminal case, but also one involving national security.

Consider a scenario in which a terrorist attack causes a catastrophe on a much larger scale. A government agency may make a similar request to the FBI, and what will Apple do? The pressure to comply fueled by grief and anger will be enormous. Will Apple stick to its conviction to the point of consumer boycotts and the possibility of closing shop?

At the same time, the US government needs to understand that the power they are requesting has the potential for great abuse. The image of a federal government agent or official that has little or no accountability monitoring phone conversations, whatever the motivation, is not comforting. The temptation to rely on backdoor encryption is too strong for any government agency or official to withstand. 

Recently, members of Congress have expressed their frustration with Apple. Some have called for a commission to study the encryption issue much further.  While the idea of a commission is great, there is concern as to who will be making up such a commission. House Homeland Security Committee Chairman Michael McCaul (R-TX) and Senator Mark Warner (D-VA) are expected to introduce legislation to create a national commission to investigate police use of encrypted data and protection of privacy.[v] The Senate Intelligence Committee is also working on a bill regarding encryption, with efforts led by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA).[vi]

Ideally, any legislation concerning encryption should balance an individual’s right to privacy and the security of our Nation. There should be no reason why this cannot become a “both and”, instead of an “either or” scenario. Any encryption legislation should recognize that encryption technology is a unique business product that provides relief from customers’ fears that their emails will not be hacked resulting in the loss of personal or business information. At the same time there should be strong accountability measures (i.e. criminal or civil penalty) for any government agent or official that abuses the backdoor encryption or the access to the encryption key.[vii]   

If the debate becomes only a privacy issue or only a national security issue, then we as a nation lose. We need to reconcile those two interests simultaneously in order for this to be successful.