At Black Hat, a Reminder That Decryption Can’t Be Legally Mandated

"“If you’re ever asked to do something like this, you have a lot of strong legal arguments to say no,” said Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society in a Black Hat talk on Thursday. Granick and her Stanford colleague Riana Pfefferkorn, a Cryptography Fellow, ran down relevant laws and what’s currently known about their parameters and limits. They suggested that companies should plan ahead and assume that law enforcement agencies will eventually send them some kind of technical request—if they haven’t already.

And preparation starts with how products are designed.

“No one is obligated to build in decryption capabilities,” Granick noted, meaning that it is much harder for law enforcement to compel a company to decrypt data that it doesn’t have any type of privileged access to. “You need to be thinking through these design decisions,” Pfefferkorn added. “You can’t be compelled to hand over data that you don’t collect.” Very true. Finally toward the end of the talk, Granick said, “End-to-end encryption is legal. Period.” The crowd broke into spontaneous applause."