The Elephant in the Room: Accountability and Consequences in Obtaining Encrypted Data

As I have written in the past, a balanced approach between privacy interests and national security interests is critical in developing successful policies. Should compromise become one sided, making it  “either…or” in terms of interest, i.e. either a privacy issue or a national security issue, then the resolution to this debate becomes more difficult to find.

In March, Representative Trey Gowdy questioned Bruce Sewell, the General Counsel and Senior Vice President of Legal & Global Security for Apple, during a House Judiciary Committee hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy”. The focus of the hearing was to examine the present issues which law enforcement faces in protecting the public should encryption technology be used for harmful purposes. An issue that has been highlighted by the FBI-Apple debate.

When addressing encryption, the working group should accept the following parameters:

  • Encryption technology is evolving.
  • Encryption technology is a necessity for businesses since companies of all sizes will become suspect to hackers.
  • The procedures to request encryption data must consist of vetting. This will require trust, a perception that many believe the Federal government is unworthy of.

Encryption technology is and continues to evolve. The rapid innovation in the technology sector is blatant. Any legislation that fails to take this into account will make the legislation obsolete, because the technology would have outpaced what the legislation intended to address. Instead of creating regulations based on current technology, Congress should take the regulatory humility approach . For more on regulatory humility see here.

Encryption is a business necessity. As we become more dependent on technology, we increase availability of potential targets for hackers. The encryption of personal information is one defense that an individual would have against hackers. The ability to protect private information will become necessary for average consumers forcing encryption software and technology to provide affordable options for the general public. Cybersecurity will no longer be considered a luxury. Any pending legislation that does not accept this fact will thwart the availability of defense against hackers to the general population.

The procedures for obtaining encrypted data requires trust. This is the proverbial elephant in the room. Here the Congress needs to address two issues; accountability and consequences. Despite the National Security Agency’s assurances that they are not monitoring US citizens, there is still a lingering doubt stemming from the Snowden disclosures. Any federal legislation that allows an agent of the US Government to have access to a persons encrypted texts or emails without proper vetting is highly suspicious. By proper vetting, I am referring to a strong legal standard that a government agency would need to show to the court in order to decrypt information. Obviously, a warrant is necessary. This vetting standard must take into account the balance of the two interests-privacy and national security.

The second issue of equal importance regards accountability. What would happen to an agent or agency that abuses power by accessing information without viable reason? History tells us that Presidents have used government agencies to go after enemies of the State. Acceptable encryption legislation that can be trusted by the public must include actual and tangible consequences for those who abuse such privileges.