Surveillance versus privacy: The conflict extends far beyond Apple versus and the FBI

Today, American IT companies find themselves caught in the midst of conflicting directives that pit the need for surveillance against the requirement to protect privacy. As a result, these firms are asking for a new multilateral agreement to provide common rules of the road. In a new policy paper, I outline the principal dilemmas that must be addressed in any new multilateral agreement.

The Apple/FBI case and US surveillance laws

For almost fifty years, the United States has required that all providers of IT services in the US – including foreign IT companies – place backdoors in their products so that US agencies can conduct surveillance pursuant to court order. Apple complies with this requirement when data is transmitted across the Internet, or is stored in the cloud. However, Apple iPhones do not permit surveillance when in the possession of the owner or user.

Since 1994, US law has required IT companies to provide a clear-text copy of any message for which they provide encryption services. However, Apple’s products allow users to encrypt data for which Apple does not have a key and is incapable of providing a clear-text copy to US authorities. The FBI is demanding that Apple create a new mechanism to disable the feature that erases encrypted data on an iPod or iPhone if an outsider unsuccessfully tries more than ten passcodes. More broadly, the Director of the FBI – and others – have asked for consideration of legal requirements that would make all encryption services accessible to US law enforcement and intelligence agencies.

America’s stance on other surveillance/privacy issues: It’s complicated

Alongside the issue of providing backdoors and weakening encryption, international IT companies are caught in a conflict of legal directives in two other separate areas: the requirement legislated by some countries for data localization on national soil, and the right claimed by some governments to place extraterritorial demands on companies to retrieve personal data stored in other countries.

Today, the US is a bit schizophrenic on data localization. The Federal Communications Commission (FCC) frequently requires IT companies to install a repository of customer data records on US soil, while asking FCC license applicants to make such data available for service of due process if a law enforcement agency needs to investigate it. Meanwhile, the Trans-Pacific Partnership agreement – if ratified by the US – would forbid requirements for localization of data storage in all signatory countries.

As for extraterritorial reach, US court orders and warrants for access to data apply to all information in the possession of US companies, whether stored in the United States or abroad. The most prominent case today features Microsoft. Federal agents involved in a criminal investigation served a search warrant on Microsoft’s US headquarters, requiring it to find a customer’s private emails, copy them, and turn them over to the FBI. The emails, however, are located exclusively on a Microsoft storage device in Dublin, Ireland, where they are protected by Irish privacy laws and the EU Privacy Directive. Microsoft refused to comply with the search warrant and is now being held in contempt of court.

America’s policy choices will have global implications

To reconcile these conflicting directives, eight of the largest US multinational corporations (Apple, Google, Microsoft, Facebook, Yahoo, LinkedIn, Twitter, and AOL) have called on the president and Congress to develop “a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved Mutual Legal Assistance Treaty – or ‘MLAT’ – processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.”

As future MLAT negotiators ponder the requirement for backdoors and deliberately weakened encryption, localization of data storage, and extraterritorial extraction of personal information, intelligence agencies within countries that are party to such a potential treaty should be careful what they wish for. National authorities around the world – including, for example, China and Russia – will doubtless wish to enjoy mirror-image rights for penetration and surveillance.

As signatory to a future MLAT, should China be permitted the ability to demand that US, European, Japanese, and South Korean IT providers install backdoors in their hardware and software that can be penetrated by the PLA? Should a MLAT that includes China allow Chinese authorities to demand that all encryption services used or offered for sale on Chinese soil be designed so as not to overwhelm PLA decoding? Following proper MLAT procedures, should a Chinese minister or a secret Chinese court be able to subpoena data on Tibetans, Uyghurs, and pro-democracy dissidents stored on the China Telecom USA central server in Atlanta, Georgia?

Serious debate about crucially important government surveillance procedures and vital personal privacy preservations lies ahead. The international business community eagerly awaits the outcome.

Read more about the five key areas where conflict among national directives would have to be addressed in a potential new multilateral treaty in Dr. Moran’s policy paper “Surveillance Versus Privacy, with International Companies Caught in Between.“

This post was originally published on TechPolicyDaily.