Government and industry must find middle ground on encryption
by Neil Desai
The Globe and Mail
May 17, 2016
For months, a single Apple iPhone has held the attention of the news media, legislatures, security agencies and civil liberties organizations around the world. The smartphone confiscated in the investigation stemming from a mass shooting in San Bernadino, Calif., has gone from potential evidence to symbol of a backlash against the questionable use of intelligence in the name of national security.
Apple has latched on to the perceived public mood that governments can’t be trusted with customer data, including private communications, regardless of whether they are captured in transit (a grey area in most countries) or from a lawfully collected digital device. The company’s latest operating system has been equipped with a level of encryption that it claims it cannot recover, even under circumstances deemed to threaten national security.
By contrast, BlackBerry has adopted a more co-operative approach, opting to maintain decryption keys. The Canadian company’s corporate policy caused some uproar recently when court documents on the surveillance of a Montreal-area organized-crime ring shed light on the “back door” in its technology. Chief executive John Chen advised customers that use of the decryption was not unlimited and that “there is a balance between doing what’s right, such as helping to apprehend criminals, and preventing government abuse of invading citizen’s privacy.”
BlackBerry is clearly in the minority, though. With less fanfare, Google has followed Apple’s lead on encryption with the Android platform. WhatsApp, the Facebook-owned messaging platform, recently introduced mandatory end-to-end encryption. Kik Messenger, the Waterloo-based messaging app with hundreds of millions of global users, has made its mark by providing almost complete anonymity.
The public apprehension that some of the world’s largest tech companies are using to justify enhanced encryption is real and shouldn’t be discounted. A recent study by Ipsos and the Centre for International Governance Innovation (CIGI) on Internet security and trust in 24 countries, including Canada and the United States, found 57 per cent of citizens are more concerned about their online privacy than they were a year earlier. Just 38 per cent believed their online activities were not being monitored.
But leaning on these insecurities as a justification to build impenetrable walls around data is ill-advised. The big-data revolution is actually still in its infancy. While the Internet is more than two decades old, 90 per cent of its data has been created in the past two years, and data creation is only going to expand.
Our connected world will continue to deliver consumer convenience, networked communities, new industries and corporate efficiencies. But we also have to acknowledge that it’s enabling a new world of crime and despair.
This goes well beyond what critics of national security agencies would call existential threats, such as terrorism and cyberwarfare. They include crimes such as sexual exploitation of children and fraud schemes that prey on the vulnerable. Both are enabled by anonymity, the ease of operating across jurisdictions and enhanced encryption.
More and more of the tangible evidence law enforcement requires to investigate such crimes is becoming harder to obtain. Evidence laws in most countries were not conceived when cloud-based storage or impenetrable encryption were foreseeable realities. Legislatures will have to come to grips with these modern realities and update laws.
Both government and industry could benefit from delving deeper into the Ipsos/CIGI data about attitudes on this issue. While there is fear about the unknown capabilities of the modern surveillance state, there is also a pragmatic desire for technology to reconcile privacy and security issues.
Although a majority stated they were more concerned about their online security than they were a year ago, 63 per cent of those surveyed agree that companies should not develop technologies that prevent law enforcement from accessing an individual’s online conversations. And 70 per cent agreed that law-enforcement agencies should have a right to access the online communications of its citizens. That number rose to 85 per cent if the communications being accessed were those of someone suspected of committing a crime.
Governments and security agencies can’t address citizens’ concerns on their own. They will need willing industry partners. These companies should not try to absolve themselves of responsibility by creating products that lock the door and throw away the keys to the enormous amounts of data being generated every day.
Government and the technology industry would benefit from resetting this intractable, existential debate. Both sides would be better served by a principle-based approach that aims to respect privacy while acknowledging today’s security challenges. Both should be transparent about what data will be shared with law enforcement and security agencies under what circumstances.
This will not alleviate all tension points – both technology and crime will continue to evolve. Independent oversight of data sharing would go a long way toward maintaining citizen confidence that safety and privacy are both being pursued. It would also give the private sector license to co-operate or refuse demands for data as the situation demands.