In a post-Snowden world, there has been relatively more awareness and interest in the right to privacy regarding digital communications; and in knowing when the government can snoop-in on personal conversations. A majority of the communications taking place today are digital and involve two crucial processes i.e. encryption and decryption. Encryption (which is conversion of information into a code) happens when a message/call is initiated. At the same time, decryption (conversion of code back into useful information) happens when the message/call is received by the recipient. There are multiple nuances in this process; both in the technological aspect and the legal aspect.
For quite a while now, WhatsApp chat pages show the message – “Messages and chats are now protected with end-to-end encryption.”. The end-to-end encryption or E2EE (first used in program called Pretty Good Privacy, by Phil Zimmermann in 1991) is a form of encryption that makes it improbable if not impossible to intercept a private conversation. Traditionally, there are 3 instances when a conversation can be intercepted – firstly, from the device of the sender before encryption, secondly, when the information code in is transmission and thirdly from the device of the recipient after decryption.
The two ends i.e. the sender and the recipient, stay vulnerable to unwanted physical access or hacking but it’s the second instance where majority of the snooping takes place. It is here that E2EE becomes useful, for tech companies to bypass court orders and in extension protect user data. E2EE in the simplest of terms means that two people communicating are the only ones who have the specific keys to decrypt each other’s messages and any other person who intercepts such data will have nothing but an unintelligible code. While most communication apps or telecommunication providers have the decryption keys in their own servers; which grant them the ability to see or hear any conversation that passes through their servers, E2EE eliminates this obstacle by giving the keys to both individuals and not the service provider. Imagine the system as that of a letter-box, anyone can put in the messages and lock it (public key) but only the intended recipient has the key to unlock his messages.
This effective bypassing of the service providers has both pros and cons to it. On one hand, it allows for greater freedom for expression of opinions and beliefs without the fear of any sanctions, while on the other hand it stops the governments from carrying out intelligence activities vital for national security. The government, in ensuring the safety of its citizens, does covert operations such as surveillance which enables them to intercept vital communications between suspects; which may lead to stopping of terrorist threat. The importance of such can be gauged from the fact that the latest attack in London included secure-device (encryption) communications between the terrorists and also that ISIS issued instructions for its followers on how to communicate through encrypted apps to plan attacks.
Privacy however is not the only lens through which encryption can be seen in a global setting, for example, promotion and use of E2EE is seen as a human rights issue, as it furthers individual privacy and freedom of expression, which are two rights contained in the International Covenant on Civil and Political Rights (ICCPR). Yet UN reports like “The Right to Privacy in a Digital Age” and “The Promotion and Protection of the Right to Freedom of Opinion and Expression” expound on the idea that judicially ordered decryption is not violative of human rights and has laid down a three part test to limit when a government can restrict encryption.
There is an intense debate about the curbing of powers of law enforcement authorities to gather information through court notices from service provider companies. This debate gained public light after the incident in Brazil, where Facebook had its assets frozen subsequent to its non-compliance of a court order to provide WhatsApp conversational information of a bank robbery gang; which Facebook couldn’t have provided even if it wanted to, as it had no means to do so after enabling E2EE. This incident coupled by Apple’s refusal to the FBI to decrypt the iPhone of the San Bernardino shooter and install a backdoor in their operating system for use by law enforcement, have prompted the UK government to take the issue one step further by enacting a new legislation for surveillance through equipment interference.
The intelligence gathering aspect of E2EE is marred with internal conflictions in the state itself as the state needs such encryption tools to secure its own data but also resents it, as it makes public surveillance harder. Hence, while promoting stronger encryption programs for state use, they limit their citizen’s ability to do so. While certain states like Germany encourage public use of E2EE to avert the covert intelligence gathering abilities of the FIVE EYES countries.
Another facet of this issue is the restrictions in commercial and export area; profit driven tech companies in order to boost sales promote E2EE (more popularity, more sales) and oppose state-imposed rules as this would mean that they can import or build only those applications which allow third party access. Since, every state strives for stronger encryption tools to protect their own data and deal with upcoming security threats, there is state imposed regulations on selling such technology by tech companies to certain states for the purposes of national security and foreign policy goals.
A hypothetical solution to this problem of law enforcement and national security versus privacy can be the innovation of an internal system within the system of such service providing companies like WhatsApp. The internal system, when established would compare every number that tries to send a message with a blacklist (The numbers law enforcement wants to track with judicial approval). When a blacklisted number tries to send a message, the server can stop the E2EE services for the said number from that point onwards and the collected information can be stored in a separate database which can only be accessed by the company’s department handling judicial obligations.
Technology has and will continue to benefit us in ways that cannot be counted, but unaccountable use of such is also capable of great harm. The need for security more than privacy might result in a paradigm shift against rigid privacy laws as is prima facie seen in lawmakers of Florida after the Orlando attacks. It is the cooperation of law and technology together that will result in swifter disbursal of justice and achieve a balance between privacy security and public safety. The adoption of a system such as the one suggested above might be the first step to strike that balance between privacy and safety.