UK-US plans to sign a new data sharing deal that will force tech giants to hand over information sent via their messengers to assist criminal investigation have recently unlocked the eternal debate about the industry that fights tooth and nail against every attempt by governments to secure encryption "backdoors," even for noble goals of countering terrorists, pedophiles and other criminals
BRUSSELS (Pakistan Point News / Sputnik - 02nd October, 2019) UK-US plans to sign a new data sharing deal that will force tech giants to hand over information sent via their messengers to assist criminal investigation have recently unlocked the eternal debate about the industry that fights tooth and nail against every attempt by governments to secure encryption "backdoors," even for noble goals of countering terrorists, pedophiles and other criminals.The discussion flared up on Saturday after The Times reported that the deal, due to be signed later in October, would oblige US social media platforms, such as WhatsApp and Facebook, to disclose encrypted messages from suspected criminals.
Yet, the leaders of the industry, Facebook in the first place, have come out to disprove the message of the article and argue that end-to-end encryption will remain waterproof.
MEDIA GO TOO FAR IN SPECULATING ON DEAL'S CONTENTS?
The upcoming deal, a product of years of negotiations, is set to become the first international agreement signed under the United States' 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act. The legislation seeks to enforce surveillance orders on data located outside the United States.
Yet, specialized websites and experts maintain that Facebook will not have to give UK police direct access to encrypted messages, under the new treaty between the two countries. Nor WhatsApp messages will be decoded, whether in Washington or London.
The treaty, in turn, will likely oblige social media providers make raw data available, case by case, upon injunction by a judge. So, it will not be a blanket agreement covering everything and everybody.
The whole speculation in media, however, started not without reason. Back in July, UK Home Secretary Priti Patel accused Facebook of making the fight against terrorists and child abusers difficult, with its end-to-end encryption, which the social network strongly advocates and wants to extend.
"Where systems are deliberately designed using end-to-end encryption, which prevents any form of access to content, no matter what crimes that may enable, we must act. I will sign an agreement that compels U.S. social media companies to hand over information to the police, security services and prosecutors. We see this data access agreement as an essential tool in the fight against terrorism and sexual abuse," Patel wrote in The Telegraph.
IF THERE IS A BACKDOOR, ENCRYPTION NO LONGER TRUSTWORTHY
According to Jos Dumortier, one of the partners of Timelex, a large legal firm in Europe, the world is currently in the search of a right balance between privacy and governments' drive to ensure control and security.
"For law enforcement and national security agencies all over the world, the ideal solution would of course be to constantly monitor everything and every person; exert surveillance to guarantee absolute security. But such a society would be rightly called a totalitarian state," Dumortier, a specialist in the American Cloud Act, told Sputnik.
What London and Washington are working on, the expert says, is simply an extension of the American CLOUD Act, enabling the US government to collect data for law enforcement purposes, even if the servers are situated abroad. The agreement gives the same authority to their UK counterparts.
The legislation, according to Dumortier, does not provide for an obligation to create "backdoors" by providers, since tech giants understand that this would shatter the encryption system and have catastrophic ramifications for data security.
"It is understandable: if there is a backdoor to the programme, the encryption is no longer trustworthy, and the product is not usable. Banks, the financial world and business in general need the encryption to be watertight when it comes to signatures or money transfers. Electronic payments must be absolutely safe," the expert argued.
Law enforcement agencies can therefore only have access to private accounts after a judge authorization, with social media providers "obliged to deliver an encrypted version, without being obliged to decrypt it," Dumortier concluded.
To find out whether law enforcement agencies are satisfied with the current level of cooperation with GAFA (acronym for Google, Apple, Facebook, and Amazon), Sputnik approached a spokesperson for the Belgian federal police, who said that it "works" and they have no complaints.
"We are satisfied for the moment with the access given to our specialized police services by the operators. It is case by case and social network by social network, and only upon request by the police via a judge that we operate. [We] cannot complain about the relationship we have with the large social media. It works," the spokesperson told Sputnik.
WE DEMAND ABSOLUTE DATA SAFETY, BUT WE ALSO WANT POLICE TO CATCH CRIMINALS
The more world discusses data privacy, the better we realize how complex the matter is.
There is actually a dual tendency on the issue among IT experts and ordinary users, who both strive for total privacy but also demand effective action from police.
"We want absolute safety for our data and total privacy, but we want the police to catch those terrorists, pedophiles or other criminals and have access to encrypted messages," Christophe Borgelion of Mediatik, a company creating websites and advising on social network marketing and policies in Belgium, told Sputnik.
In this dilemma, GAFA has long ago made a clear choice - privacy and security of their systems must be untouched. The story of the San Bernardino terrorist attack in California in December 2015, when Apple denied police access to the assailant's Apple iPhone 5C is a striking example of it, according to Borgelion.
Despite police's frantic attempts to find out whether the man, who killed 14 people, was a "lone wolf" or acted as part of a terrorist network, Apple declined to share data to, as Borgelion put it, "never undermine the security features of its products," fearing that it would create risks for all other customers.
"Finally on March 28, the Department of Justice announced that it had unlocked the iPhone and withdrew its suit. Initial reports, citing anonymous sources, stated that Israeli company Cellebrite was assisting the FBI with this alternative. But Apple did not give anything! So you see, the GAFAM are defending the privacy and security of their systems, tooth and nail!" the expert concluded.
He, at the same, was quick to remark that there were also cases when tech giants like Facebook shared user private data for completely dubious purposes.
"Think of FaceApp, the Facebook application that makes it possible to age you on a photo by 50 years for example. All youngsters love it, but what they forget is that in the small print of what they signed, FaceApp is allowed to use the photo for commercial purposes. So where is your privacy?" he wondered, noting that it was not easy to shape a clear stance on the issue.
GERMANY, SOCIAL NETWORKS DEFEND END-TO-END ENCRYPTION
Back in November 2015, then-German Interior Minister Thomas De Maiziere signed a charter to protect confidential communication online. This document promotes strong end-to-end encryption in a bid to make Germany the leader in data protection.
In comment to Sputnik, German encrypted email service Tutanota expressed full support for such approaches, saying that the only solution to ensure privacy was strong end-to-end encryption.
"It is good to see that there are politicians who understand the importance of our right to privacy. It is also noteworthy that the new European General Data Protection Regulation (GDPR) is largely based on the German Federal Data Protection Act. The European GDPR requires that companies protect personal information they handle. Sending out personal information such as a private home address, bank details, or CVs of applicants with a normal email could lead to heavy fines under GDPR. It is best to secure emails containing personal information with end-to-end encryption," a Tutanota spokesperson said.
According to Tutanota, after years of permanent surveillance allegedly practiced by the former German Democratic Republic, modern Germany will "never want a system to monitor its own citizens 24/7 ever again" and "do everything to fight for our right to privacy."
This echoes the Facebook reaction to media reports about the UK-US deal.
"We oppose government attempts to build backdoors, because they would undermine the privacy and security of our users everywhere. Government policies like the Cloud Act allow for companies to provide available information when we receive valid legal requests and do not require companies to build back doors," Facebook said, as quoted by Bloomberg.
But for security experts it is only a small part of the problem. There is the encrypted "Dark net." Or Telegram, who will never lift anonymity. There are also apps that destroy the messages after reading.
So for national security agencies it is mission impossible to secure the net: terrorists will adapt anyway. Yet, governments still try to obtain access to encrypted communications, with the United States and the United Kingdom being no exception.
LEGAL EXPERTS: US, EU APPROACHES DIFFER
Asked to comment on legal issues of the UK-US data sharing deal, Eleni Kosta, a professor of technology law and human rights at Denmark's Tilburg Institute for Law, Technology and Society, noted that the text of the "agreement is confidential and what you read in the press is only hearsay."
As for the reaction of tech giants to any possible encryption "backdoor," she sees it as quite understandable as "they apply corporate responsibility." In addition, this issue also concerns the domain of human rights and freedoms.
"We are touching on our fundamental rights there; privacy protection. Moreover, everybody is considered innocent before being proven guilty. The police, understandably, are trying to improve its tools for their enquiries and get as much data as possible, but they need to prove the guilt first, before a judge gives them the green light for data investigations," Kosta told Sputnik.
Another important aspect is a difference between US and European approaches to data privacy, experts of the KOAN law firm in Brussels pointed out to Sputnik.
"You remember the [Edward] Snowden affair, this American whistle-blower, who revealed the extent of the surveillance by the American law enforcement and security agencies? The US authorities had access to private data of millions of citizens. It was a big scandal in the USA, which had legal repercussions and closed the 'back door' access, except on certain conditions, when defined by a judge who has to balance the public interest and the fundamental right - the highest level of rights - before deciding if he authorizes or not the access to encrypted data," Christine De Keersmaeker and Nicolas Hamblenne said.
They, however, expressed hope that "the confidentiality of personal data is and remains the rule, on both sides of the Atlantic, and lawmakers will be very careful in giving some possibilities for judges and law enforcement authorities to access encrypted data, case by case."
