Author – Galina Datskovsky
There is much controversy regarding the obligation of technology companies to aid government in criminal investigations over the past year greatly due to increased threat of terrorism. It has been presented in the press that such tactics are necessary to combat terrorism. On the other side of the debate, technology companies have already begun to offer encryption technologies to secure data in place and in transit. In some cases the vendor does not hold the decryption keys, and thus has no way of responding to a third party subpoena for information without the knowledge of the party being investigated.
Too frequently media sensationalism and knee jerk reaction of political leadership tend to muddy the waters around the real issues. If guns kill, eliminate the guns. If cars kill, create vehicles that drive themselves. No one has chosen to look at both sides of each knee jerk reaction or to accept any responsibility for actions taken.
There are many factors in play here and I think it is very important to analyze different aspects of this debate and to separate it into manageable, digestible chunks.
- Corporate and Personal communication and information sharing needs are different as are the issues driving them, so it is best to separate them and look at them one at a time
- Technology companies offering solutions for the enterprise need to have a somewhat different outlook than those offering consumer products
- Good information governance principles need to be applied at all times
Many organizations have a strict requirement for privacy and security. This may stem from the regulatory bodies supervising these entities, such as HIPAA in the world of patient care, and the need to protect the privacy and security of the patient. It could be a delicate employee matter that cannot be leaked out to the larger audience, or a conversation about Intellectual Property (IP) that must be kept fully confidential.
Thus, any provider that is servicing the enterprise market is keenly aware of the need to keep information confidential. There is a great demand for service providers who can guarantee this functionality, and the reasons – unlike the media might have you believe – are far from sinister.
The organizations often must keep a copy of these said communications in case they need to refer to them later, whether in the course of doing business or during an investigation or litigation.Which brings me to another issue: There are legal means available to subpoena information shared in these communications that is currently encrypted.
This request is equivalent to requiring a search warrant before entering a premises and removing physical information. It is not done ‘in secret’ nor through a back door. We have laws that deal with such issues of access to subpoenaed information. So – do we sacrifice our protection under the law?
Do we alienate a network of providers who all agree that obtaining a decryption key from the party that holds it is the only way to obtain information, thus providing for an equivalent to a subpoena to search the premises?
I think this could be a very slippery slope. Further, it is almost laughable to think that making adjustments or adding backdoors to encryption technology used by corporations is the best way to stop terrorism, as just reading open, unencrypted forums should clearly identify individuals who might be suspect.
More on that in Hi Tech obligations in business and law enforcement: Part 2: Personal Communications that is to follow.
For now here are some takeaways:
- Organizations need a way to securely and privately communicate information and store it in a secure and encrypted fashion
- A system of regulatory compliance and information requests exists already to allow law enforcements to request relevant information
- Providers need to offer the right security and encryption to satisfy corporate need for information security and privacy.
- Do not overuse terrorism to create another government overreach in the wrong area of focus.
In the next installment we will tackle consumer use of secure communications and rights to privacy. If you would like to further discuss topics around privacy, security, or encryption technologies please contact us.