Introduction to the Bill
The United States (‘US’) is currently one of the biggest data economies globally; however, the US regulators have still not formulated a comprehensive and consolidated data protection regime. Moreover, as is clear from the Schrems II judgment, the US is also considered to be one of the largest surveillance states in the world. The Lawful Access to Encrypted Data Act (‘LAEDA’), introduced on June 23, 2020 in the US Congress, appears to be in furtherance of the motive of US regulators to not let the data escape from the hands of the authorities, or in other words weakening the data privacy. LAEDA provides for organisations to loosely encrypt the data to a level that public authorities can unlock such data for the purpose of law enforcement. This essentially means that organisations/providers cannot provide users/data subjects/consumers any fully encrypted devices or cannot encrypt the data to a level that authorities cannot decrypt it for the purpose of law enforcement. Even though prima facie it appears to be in violation of a user’s data privacy, a question remains as to whether a such discouragement to provide full proof encryption is justified or should there have been a certain instances of national security provided which would act as a standard, on the occurrence of which, the authorities could have demanded data. The LAEDA comes at a crucial time and in the wake of the US Senate Judicial Committee’s hearing held in December 2019. While LAEDA is aimed at tech companies assisting public authorities in the interest of national securities, the applicability of LAEDA is so vast that it may in turn impact user privacy in day to day activities. The premise for obtaining data from consumers is that in the current technologically advanced age, service providers are designing devices to facilitate encrypted communication in such a way that law enforcement are not able to decode it even when there is a legitimate threat to national security in the form of terrorism etc. The promoters of the LAEDA, Lindsey Graham, Tom Cotton, and Marsha Blackburn, have also cited examples from the past where illicit activities have been conducted and service providers/ private organisations have not assisted investigation agencies such as the Federal Bureau of Investigstion (“FBI”).
While the sponsors of the bill cite nuances of furthering privacy and public safety in tandem and providing a ‘balanced-solution’, can ‘warrant-proof’ technologies really provide for a data protected governance regime?
Applicability of LAEDA
All consumer electronic devices shall be brought under the purview of the LAEDA, which essentially means that operating systems/applications (apps)/gaming devices/smartphones/personal computers such as laptops etc. shall be within the scope of the LAEDA. The LAEDA specifies, under Title I definitions, that the applicability of the LAEDA shall extend to all consumer electronic devices that have 1 (one) gigabyte (‘GB’) of storage or more. This provision of the LAEDA is so vast that it could potentially contain most devices that a common consumer uses in their daily tasks, including smart watches/ smart televisions/ smart home devices etc. Interestingly, the LAEDA applies to both stored data (which means data that would be stored on servers whether remotely or locally) and data in transit (this means the data which is in motion or communications in transit).
Technicalities of the LAEDA
According to the ‘Court order for Assistance’ heading as prescribed under Title I of the LAEDA, the applicant seeking to investigate an electronic device must seek a court order based ona probable cause. Upon grant of such a motion for investigation, the organisation/company/service provider shall be obligated to decrypt the information and provide it in an intelligible format to the applicant (for example the FBI. The organisation shall also provide technical assistance towards execution of the warrant. This means that the organisation/ service provider shall be obligated to provide assistance in decryption of the information/data which is sought in the warrant. As per § 3119 (c) capability to assist under the LAEDA, entities which have sold more than 1,000,000 (one million) consumer electronic devices in the US in 2016 or thereafter shall be required to comply with the LAEDA. Similarly, with respect to computing services, as per § 3119 (2), entities which have provided services to more than 1,000,000 (one million) subscribers will have to ensure that they are capable of providing technical assistance as required by the LAEDA. However, compliance requirements just do not end at computer and smartphone based app services. As per section 201, any provider of wire or electronic communication services shall also be obligated to comply with the provisions of the LAEDA. Section 201 states “Any provider of wire or electronic communication service, landlord, custodian, or other person furnishing such information, facilities, or technical assistance shall be compensated there for by the applicant for reasonable expenses directly incurred in providing such information, facilities, or assistance”.
The wording for this clause is structured in such a manner that the it appears to portray the meaning of consideration for such communication providers, however, without fault the clause proclaims that virtually no entity shall be exempt from complying with the provisions of the LAEDA. It also bears a limitation of maximum USD 300 on such reasonable expenses. Moreover, the above mentioned ‘compensation’ by authorities is only applicable to providers of stored data. This means that communications/remote computing service providers which have more than 1,000,000 (one million) active users will not be compensated by the government and they shall have to bear the costs of redesigning the architecture of their systems to facilitate such technicalities of decryption.
Effect on Stored Data v. Effect on Data in Motion
The LAEDA differentiates between data in motion and stored data. As explained above the entities which are providing services for data in motion shall also not be eligible for any compensation for restructuring of any design. However, the confusion lies in the manner through which public authorities would execute the provisions of LAEDA. Moreover, discretionary powers to the judiciary have not been provided for granting such a technical assistance warrant. This means that the a judge shall also be obligated to issue the technical assistance warrant if the applicant shows reasonable cause for obtaining information. With respect to the differences in stored data and data in motion, warrant under the LAEDA shall only be applicable to stored data, which could be locally or remotely stored. However, in case of data in motion, wiretapping of communications is required. Therefore, the orders shall be obtained under the Electronic Communications Privacy Act of 1986 and US Code under the chapter for pen registers and trap and trace devices. However, both of these legislations already have provisions for technical assistance orders. Therefore, the LAEDA in this context has specifically provided for ‘decryption’ of data under such wiretap orders, again with no discretion by the judiciary even if the probable cause is invalid.
The only exemption provided in the case of technical assistance is, as per section 201 (ii), that unless the independent actions of an unaffiliated entity make it technically impossible to decrypt the data/information, the entity is required to follow all procedures. In other words this could be interpreted to say that no entity shall be exempted from any provisions unless the data in encrypted by some other third party and not the entity/service provider themselves.
BlockSuits Comments
In the past, companies such as Facebook have issued statements stating that all whatsapp communications are end to end encrypted and are secure. However, that would not hold true once the LAEDA is enacted. Moreover, many communication providers will have to bear extensive costs in restructuring their software to provide for adequate decryption measures when the LAEDA is in force. Since the applicability of the LAEDA is so wide, the liabilities shall not be limited to the big-tech companies, considering the data economy of the US, potentially most medium sized enterprises can be served with a warrant/directive to facilitate decrypting procedures. Under Title III, § 3513 (c), the entity is allowed to challenge, appeal against such a warrant within 30 (thirty) days from the date of service of such a warrant, however, if the District Court affirms the order/warrant, the entity shall have no choice but to comply. Moreover as per section 301, the Attorney General, can also demand entities to build an assistance capability procedure’ which is to say that the Attorney general using the “assistance capability directive” can demand organisations to have decryption software ready at any time.
Another interesting facet as provided by the LAEDA is the introduction of a “Prize Competition” under Title VI. This prize competition has been introduced for advancing the notion for more entities to not make warrant proof technologies for encryption. Again this is to say that if you provide the government a back-door entry to the data, organisations get rewarded. Under section 603, the government shall incentivise and provide awards to organisations which facilitate solutions towards the law enforcement getting access to encrypted data pursuant to legal process and such awards shall be under the Stevenson-Wydler Technology Innovation Act of 1980. This also could be interpreted as the US government’s effort towards a desperate need to gaining a backdoor entry into the all communications. While the LAEDA is currently heavily criticised amongst many academicians and practitioners in the US, could there be another scenario where citizens benefit. Our answer is ‘we do not believe so’.
The structuring of the entire LAEDA is as such that there is a no valid reasoning for enforcement of orders/warrants towards granting access to encrypted data. Moreover, this shall be just another prolonged tool in the hands of the investigative agencies to conduct search and seizures under the realm of ‘national interest and security’.
コメント