Opinion: The Foreseeable but Unintentional Consequences of the Encryption Debate
Legislation, Regulation and Corporate Defence
An opinion piece by our correspondent Alexander Urbelis, Partner, Blackstone Law Group LLP
Even though the FBI has successfully gained access to the iPhone data of the San Bernardino terrorists – effectively mooting the ongoing litigation between the FBI and Apple – the debate over whether the government should be able to require mandatory decryption of smartphone data persists. Pitting privacy against public safety, the debate is polarized on both sides.
In response to Apple’s formidable and persistent legal opposition to the FBI, legislative proposals in the United States, at both the State and Federal level, have taken aim to prevent what one side of the debate perceives as corporate recalcitrance to provide access to data. What is clear, however, is that the long-term effects of this debate have not been given great thought, yet merit serious consideration.
A Patchwork of State and Federal Legislation
Starting on the west coast, in California one such legislative proposal (AB 1681) recently failed when lawmakers refused to bring the bill to a vote. California’s bill would have mandated that smartphones sold after 1 January 2017 “be capable of being decrypted and unlocked by its manufacturer or its operating system provider.” A civil fine of 2,500 USD per non-compliant phone sold in the state would have applied.
Midway through the country in Louisiana, and directly responding to the Apple v. FBI debate, a similar proposal remains before the state legislature. As with California's proposal, the Louisiana bill proposes that smartphones must be able to be decrypted or unlocked, but going further, the bill requires that this capability must exist “without the necessity of obtaining the user passcode.”
On the east coast, in New York a bill nearly identical to the Louisiana proposal is sitting in committee. This bill, touted and promoted by Manhattan District Attorney, Cyrus Vance, as a necessary response to Apple’s full disk encryption, was first introduced at the end of 2015 and reintroduced early in 2016. A peculiar wrinkle to the New York proposal is that District Attorneys are afforded the power to enforce the law by bringing a civil suit against device manufacturers in the counties they represent.
It has been suggested that this patchwork, state-by-state response to the encryption debate is actually designed to encourage the federal government to legislate on this issue. This may be for good reason because it has also been argued that state legislation regulating the use of encryption could pose an unconstitutional barrier to interstate commerce, possibly violating the Dormant Commerce Clause of the US Constitution.
To the rescue come US Senators Dianne Feinstein and Richard Burr who recently introduced the Compliance with Court Orders Act. This Act, which comes with the support of the FBI, the National District Attorneys Association, and the New York City Police Commissioner, targets not just smartphone manufacturers but also software developers, electronic communications service providers (e.g., WhatsApp, Signal, Wickr, Silent Circle), and any person or entity who provides a product to facilitate electronic communications.
The Technical and Privacy Community Response
Not surprisingly, there has been a great deal of pushback from the technical community and digital rights activists such as the Electronic Frontier Foundation with regard these legislative proposals. The cogent arguments advanced (as with the FBI v. Apple debate) generally centre around the deleterious effect insecure-by-design practices would have on personal privacy and communications. Others argue this legislation would not only be ineffective because encrypted devices would be available across states and national borders, but also that these laws would hinder innovation in the United States and encourage consumers to utilize software and products developed outside US borders. All of these arguments, however, are premised on the erroneous assumption that the major impact of these proposed laws and requirements will be borne by individual users.
What has not been addressed are the unintentional consequences of weakening corporate defences by weakening smartphone security. There has been a major uptick in companies adopting “Bring Your Own Device” policies, enabling employees to use their own smartphones for business purposes. In lockstep with this trend is the development of more and more enterprise apps that are critical for businesses and which access or store sensitive business-related information, whether that be trade secrets, business plans, financial data, etc. An example of this growing trend is the fact that Apple and IBM launched 100 enterprise iOS apps in 2015 that touch upon sixty-five professions and fourteen industries, and Apple has recently announced a new enterprise partnership with SAP. As mobile platforms continue to take over the desktop, this trend will only grow stronger.
Assuming that the concern of the privacy and cryptography contingents is correct – that the very existence of a “backdoor” will weaken every device’s data security posture – what was a backdoor into a smartphone will become an unlocked front door into companies and organizations. If a secret “backdoor” can be utilized by the US government, it will be discovered by others.
The potential for misuse and exploitation of such a backdoor is tremendous and has economic ramifications that could far outstrip the adverse impact on individual privacy rights. With smartphones deliberately designed for insecurity, they become honeypots for criminals searching for personal and financial data, nations seeking foreign and business intelligence, competitors looking to steal trade secrets, and a great deal of other malicious actors.
With the proliferation of enterprise apps, smartphones, and pervasive BYOD policies within corporate cultures, the regulation of encryption on smartphones, intended to assist the investigation of major crimes, may have the ironic effect of enabling cybercrime on a massive scale. As things stand today and given current trends, there is no denying that when personal defences are weakened, so too are corporate and enterprise defences. As such, the efficacy and wisdom of these legislative proposals deserves serious reconsideration.
This article gives the views of the author, and does not represent the position of the Cybersecurity Capacity Portal, the Global Cyber Security Capacity Centre nor of the University of Oxford.