Encryption law serves two purposes: (1) the creation of legislation that promotes the confidentiality, integrity and availability of encrypted information, (2) develop encryption policies and techniques that will protect against cybercriminals. Government has played a significant role in providing encryption resources to their facilities, as well as organizations in the private and public sectors. There are several government departments that have an influence on the country’s encryption policies and implementation including the NSA, NIST, Department of Homeland Security (DHS) and Department of Defense (DoD). While the NSA and NIST are primarily responsible for intelligence gathering and the implementation of some policies, DHS is ultimately responsible for developing and enforcing new encryption tools within the United States, and DoD uses US Cyber Command for encryption-related cybercriminal or cyberterrorist activity that takes place internationally. Each department aims to provide encryption methods for government data. Legal implications relative to cryptography are an apart of four categories: (1) export control, (2) import control, (3) patent issues, and (4) search and seizure (“Encryption Law”, 2020). Each component is a significant factor during the creation of legislation or in the judicial system when a party needs to restrict or provide access to encrypted data.
Export control laws prevent the exportation of encrypted data from the United States to any other entity within or outside of the country. This law is one of the most important factors during cases involving national security. It is also sometimes present during investigations at private corporations. The greatest feature of the export control laws is that it protects confidential military data and provides a framework in which the encrypted data cannot be collected by an adversary. During the development of cybersecurity policies, the export control laws can add significant protection to an organization’s encrypted data which would be supported by the use of a good solution for end-to-end encryption. When policies and techniques are parallel, they will correspond with each other during processes in which government and corporations may need to launch or defend against legal recourse, cyberattacks and other detrimental activities that may occur.
Import control laws suggests that all encrypted data may be protected for positive or negative reasons. They exist in order to prevent state actors from discovering methods of applying malicious code to encrypted data in another country. Import control laws puts a restriction on the types of encrypted data that may enter the country’s networks. These laws are also supported by agreements made through diplomacy by the United States with other territories who have committed to not send malicious codes or hackers to try to decrypt the encrypted information found in the United States. These laws and policies protect the national security of the Unitec States and supports the integrity of encrypted data for American businesses.
Encryption and decryption methods can be essential for patent issues. These laws exist primarily to protect intellectual property. When technologists decide to develop a new innovation, or assemble a group to create software or other applications, the person responsible for the original idea should obtain a patent and encrypt the file to identify which party has the legal authority and ownership rights for this particular technology. Patents can be somewhat tricky when it comes to international industrial espionage, which frequently takes place by hackers in China and in other territories outside the United States. An encrypted patent will make it exponentially more difficult to access through a cyberattack, which will prevent others from copying or stealing the contents of the patent and the intellectual property.
One of the most controversial components of the legalities of encryption regards search and seizure. The controversial portion involves at what point does a defendant have to provide access to their encrypted data during a court proceeding. Encryption is applied when one or more parties want their information to remain secure and confidential; however, the courts in some circumstances can enforce the defendant to decrypt data via a court order or their refusal will be used as an indication of their guilt. While search and seizure continues to appear in many legal cases, there is currently no mandatory legality that judges and juries should follow in order to request decryption by defendants in all circumstances. There is no common standard instruction for the courts on what to do during these circumstances.
Does the right to privacy outweigh legal pursuits of the government for security and lawful issues?
The problem is that internet users do not have complete privacy of information when it comes to the legalities of encryption. It raises the question, should users be satisfied giving up some of their privacy for more security? Apparently, there is no right or wrong answer; however, some solutions are more popular than others. Options that provide a limited use of government attempting to gain access to encrypted data, typically are more popular than the solutions that do not. A potential solution to this issue would include measures that feature both privacy and security.
In most instances, national security outweighs an internet user’s privacy. Some cybersecurity analyst believe that the country is at war with COVID-19, terrorism and cyber warfare. It would be necessary to assert the description as accurate as these areas are requiring government resources in order to handle a large number of cases at any given time (Perez, 2020). Cyber warfare refers to the ongoing intelligence gathering and response to offensive and defensive cybersecurity measures that will be launched by the United States or defended against by an adversary. After the terrorist attacks on the World Trade Center in 2001, internet users found themselves with a decrease in privacy and an increase in security measures. An effective government strategy would be to create access points on networks within the United States in order to filter malicious packets that may be sent from hackers or cyberterrorist. A good argument for internet surveillance would be the ability to identify terrorist that may be operating independently before they get the opportunity to launch a cyberattack
According to some analyst it’s the government’s job to provide security for its citizens. These measures are outlined in the United States Constitutions where the concepts related to privacy are not. Based on the Constitution national security interest should be at the forefront of government operations, even during circumstances in which an individual’s encrypted data is at stake. The term “securing general welfare” is Constitutional and “privacy” is not. In most legal situations the Constitutional term will be applied and a defendant may need to decrypt data that is subjected as evidence in a case. These security measures in court can save people’s lives, provide unequivocal evidence of a crime that has been permitted, and point investigators in the right direction in order to find even further data as the case proceeds.
In the creation of policies for privacy and security, the broader the security portion of the polices, the more helpful it is for governments to conduct intelligence gathering and potentially gaining court orders to view encrypted data. This will certainly cause a loss of privacy and the need for organizations to determine through their internal policies what types of information they would be comfortable providing government and law enforcement during investigations, and which ones the company should keep private until they receive a potential court order. Companies should also be aware of the potential of government surveillance and the policy needs of the organization to have a response to what the government is allowed to see and what should remain confidential.
Even though there are some laws that protect privacy, it does not outweigh national security in most situations. The 4th Amendment upholds privacy by banning inappropriate “search and seizures”; this gives users some authority over the kinds of data that can be collected about them and how the information is used. However, government surveillance is considered an integral part of national security and will usually be viewed as such during a court proceeding, which will supersede the 4th Amendment.
Government surveillance may also infringe upon the First Amendment. Internet users have the right to say anything they would like through publishing text on websites and social media. Many users may want this communication to be encrypted by the owners of the content management systems in which they use. For opensource programs like WordPress, there are thousands of plugins that users can apply to incorporate encryption strategies and security procedures to their web pages. If government is able to have access to these forms of encrypted data, a solid argument could be made that it could be a breach of a defendant’s First Amendment rights, even though this would rarely occur in court.
Some analysts would suggest that government surveillance does not increase national security. This assertion would be false in most circumstances. Government surveillance assists law enforcement in identifying and arresting criminals after they have conducted a serious attack, or as a preventative measure that occurs before a terrorist is able to complete their destructive plans. The same surveillance is used for the protection of the country’s critical infrastructures, which protects everyone in the United States from cyberattacks on critical infrastructures like the electric grid, water and transportation. Even though everyone benefits from government surveillance, when it comes to the decryption of a critical piece of information in court, many would argue that government is overreaching when they attempt to conduct surveillance on encrypted data. It makes some people in the technology community less comfortable in court proceedings, as they may feel that the government will be granted too much authority to view data in ways that may be Un-Constitutional. Surveillance is legal as long as the proper warrants and court orders are in place in order for them to gain access to encrypted data. Many would suggest that the laws are flawed and that internet users are losing their rights to privacy, which is a true assertion. Users will lose some of their privacy in exchange for security. The privacy vs. security debate is one of the most important discussions in cybersecurity as it will determine if it is necessary for the courts to mandate defendants to make their encrypted data viewable as evidence. It is clear that it is not an either-or scenario. Policies regarding privacy and security should be implemented through methods that complement each other, rather than internet users feeling like they have no rights to privacy.
Stance on United States v. Fricosu
The court granted the government’s motion to view the defendants decrypted laptop. The judge determined that the Fifth Amendment did not apply in this case because the government had already built its “burden of proof” and articulated reasons why viewing the decrypted files on the hard drive was significant evidence in the case (Perez, 2020). The Electronic Frontier Foundation filed a litigation on behalf of Fricosu’s rights under the Fifth Amendment. The judge also determined that decrypting the files on the hard drive would not be an incriminating act. My stance is the judge allowed the government to overreach in its pursuit of evidence. The case was about mortgage fraud, and the judge already determined that the government built a strong enough argument within their case. Forcing the defendant to decrypt data in a scenario in which the courts are already leaning toward siding with the prosecution is unnecessary and Un-Constitutional in my opinion.
Discuss deniable, undeniable, and plausible deniability with respect to encryption.
Deniable encryption gives the encrypted data the ability to be decrypted in two or more ways. It is a strategy in which the sender can deliver an encrypted file to multiple parties that will get different messages when they use their decryption key (Rouse, 2020). This process is sometimes used unethically, particularly with communication at corporations at the highest levels; a sender may give one group of staff members a positive message while sending the Board of Directors something with a different message. Undeniable encryption is the process of using keys to maintain the secrecy of encrypted data in transit (Aimani, 2009). It is meant to confuse the intruder in order for them not to know which keys are for encryption or decryption, it is generally accepted as a best cybersecurity practice. The same procedure can be implemented for creating indistinguishable digital signatures. Plausible deniability occurs when the sender creates multiple forms of cipher text, sends it to a receiver, and may confuse intruders by having some of the encrypted data be non-sensitive (Brockmann, 2015). This is considered a best cybersecurity strategy to maintain the integrity and secrecy of information.
Why is the NSA, FBI, Apple, Google and other IT industry leaders in the middle of this topic?
The NSA and FBI, two government departments, are a part of the privacy vs. security debate because they are often task with the responsibility to develop measures and implement encryption techniques that will provide network security for Federal entities and those from the ISPs across the United States. One of the challenges regards jurisdiction, it can be difficult to decide which agency should handle a particular cybersecurity matter-especially since the Federal government has DHS and DoD to use as well. Sometimes the NSA sand FBI may need to appear in court and attempt to gain access to encrypted data in order to pinpoint cybercriminals and bring them to justice or gain additional information that can be used in court. The same is true for Apple, Google and other IT industry leaders as they must develop cybersecurity policies to inform staff on how to handle court orders, warrants and other legal documents that seek to gain access to a company’s encrypted data. What separates the technology companies is that most of them are private organizations or have experienced an IPO in which they should have the right to privacy of encrypted data and protect information regarding the Board of Directors and shareholders. Usually, judges decide to decrypt data in order to see if it is relevant to the case. Technology companies are very uncomfortable with this process as they want to secure all their data including patents and other forms of intellectual property, but the law typically gains access to these encrypted documents frequently.
Should the FBI require companies to maintain access to communication devices and services?
No, the FBI should not require companies to maintain access to communication devices and services. Companies in the private sector should not be subject to government overreach. It is possible for private technology companies to develop and collaborate with government on certain projects-especially those that rebuild American infrastructure-but the FBI should not essentially have a backdoor access to any company. The reason for this assertion is that it would be difficult for IT, Cybersecurity, Executive Management and Board of Directors to trust in the integrity of its data if another party has access to it at any given time, even if it is a government entity that has the intention to reduce the network activity of cybercriminals.
References
Aimani, L. L. (2009, January 1). Anonymity from Public Key Encryption to Undeniable Signatures. International Conference on Cryptology in Africa. Retrieved from https://link.springer.com/chapter/10.1007/978-3-642-02384-2_14
Brockmann, A. (2015, January 1). A Plausibly Deniable Encryption Scheme for Personal Data Storage. Scholarship at Claremont.
Encryption Law — Guide to Cryptography Law. (2020, January 1). Retrieved July 16, 2020, from https://www.hg.org/encryption-law.html
Horth, B. (2012, February 2). U.S. v. Fricosu: District Court Holds that Defendant Cannot Refuse to Decrypt Hard Drive under Fifth Amendment. Retrieved from http://jolt.law.harvard.edu/digest/u-s-v-fricosu
Perez, T. K. (2020, January 1). Does National Security Outweigh the Right to Privacy? Retrieved from https://www.theperspective.com/debates/living/national-security-outweigh-right-privacy/
Rouse, M. (2020, January 1). What is Deniable Encryption. Retrieved from searchsecurity.techtarget.com/definition/deniable-encryption