This year’s Black Hat USA conference is currently underway in Las Vegas. Last year, Jennifer Granick and I spoke at Black Hat about handling technical assistance demands from law enforcement. (You can watch video of the talk here.) We reported that there were a number of unsettled legal questions about what the U.S. government can and cannot force a company to do to assist in an investigation.
One year later, that remains true. In the intervening months, we haven’t seen any decisive court rulings or legislative developments in the U.S. to clarify the bounds of companies’ legal duty to help law enforcement access their customers’ communications and other data. Overall, the larger “going dark” debate over encryption has mostly been in a holding pattern in the United States this year. Given the chaos now pervading the political branches, that might not change in the near term. But if it does, it’s doubtful that the change will be for the better.
In the past year, the U.S. government has not publicly sought to force technical assistance from Apple, Google, or their ilk in order to access user data. That’s not surprising given the agency’s high-profile drubbing in the “Apple vs. FBI” case last spring. However, the government may be still be making such demands outside the public eye, either in the courts or through back-room discussions.
One option is that the government is still filing technical-assistance requests in court, but doing so under seal—meaning the public cannot scrutinize the request and the company affected cannot discuss it openly. Since last fall, Jennifer and I have been seeking to unseal surveillance matters filed in Northern California federal district court in which the records are still sealed but the need for secrecy has passed. Our goal is to discover what, if any, technical-assistance demands law enforcement has sought (and been granted) here in our own backyard. That effort is proceeding gradually. Last month, the court denied a motion we’d filed in January seeking to unseal the docket sheets for the category of cases that includes surveillance matters. Nevertheless, I’m hopeful that we’ll start to see some surveillance records getting unsealed in the near future. Once the public gains access to these matters, we should find out more about how law enforcement carries out electronic surveillance and, potentially, how it compels tech companies’ help in accessing their users’ private data.
Rather than file under-seal technical-assistance requests, another possibility is that the government has chosen to rely more heavily on discussions with tech companies and communications providers behind closed doors. The idea is to persuade those companies to “voluntarily” change their products and services to enable law enforcement access, without the risk of creating adverse case law that the government runs when it tests out novel legal theories in court. You may recall that in late 2015, then-FBI Director James Comey advocated this “voluntary” approach. That was four months before the FBI went to court for an unprecedented, aggressive technical-assistance order to Apple. Clearly, then, the “voluntary change” and “court-compelled assistance” tactics are not mutually exclusive. But following the Apple vs. FBI firestorm, the agency may be focusing more on the former strategy than the latter.
When Comey was fired in May, the “going dark” camp lost its champion. Yet his would-be replacement appears to be a case of “meet the new boss, same as the old boss.” In testimony to the Senate Judiciary Committee earlier this month, the president’s nominee, Christopher Wray, repeated the same meaningless line about “balance” between encryption and law enforcement needs that we’ve heard so often before. Wray’s testimony also indicated that if confirmed, he, like Comey before him, would favor pressuring companies privately to get “on board” with law enforcement needs.
Wray is not alone in favoring this tactic. Troubling developments brewing in other Western democracies such as Australia, France, and the United Kingdom have the potential to spill over into the U.S. Following a recent meeting of the so-called “Five Eyes” countries (the U.S., Canada, the U.K., Australia, and New Zealand), officials vowed to “engage” with communications and technology companies on law enforcement access to encrypted data. They didn’t specify what this “engagement” would entail, but it’s safe to assume it doesn’t mean a thumbs-up and a “keep up the good work.”
Back-room discussions with tech companies and communications providers are not the right way to set policy on issues of encryption and technical assistance. Like under-seal demands in court, private pressure on providers skirts transparency and accountability to the public, i.e., the customers of the affected providers. How those companies design the encryption and other security features of their products and services affects not just data security, but the civil liberties and human rights of users around the globe. The U.S. and its surveillance partners should keep their hands off strong encryption—but as long as they’re determined to keep waging this seemingly endless war against math, the public needs to be informed and involved.
There have been no reports of an “Apple vs. FBI 2.0” in 2017. Perhaps no news is good news. But if the U.S. government has in fact been secretly pursuing surveillance strategies that deserve public scrutiny, it may be that, true to the zeitgeist of 2017, no news is fake news.