The State of Crypto Law: 2016 in Review
This year was one of the busiest in recent memory when it comes to cryptography law in the United States and around the world. But for all the Sturm und Drang, surprisingly little actually changed in the U.S. In this post, we’ll run down the list of things that happened, how they could have gone wrong (but didn’t), how they could yet go wrong (especially in the U.K.), and what we might see in 2017.
For a fuller picture of what happened this year, we need actually start this post with a brief review of what happened in late 2015. At the end of September of last year, EFF and our friends at Access Now launched an online petition to demand that President Obama protect encryption from any sort of compromise or backdoor mandate. The petition and its companion website at savecrypto.org used the White House petition site to let our members and supporters tell the President exactly what we think: strong crypto is critical to security in the digital world and any sort of compromise would be unacceptable. And despite garnering well over the 100,000 signature threshold that warrants a response from the White House, no substantive response ever came.
Apple v. FBI: The All Writs Act in (in)Action
If you’re reading this post, chances are you’re already familiar with the case that could have led to the biggest development in crypto law in 2016: the “Apple v. FBI” fight in the wake of the San Bernardino shooting.
In February 2016, a federal magistrate judge in southern California in charge of the investigation into the San Bernardino shooting was presented with an application by the government to force Apple to unlock one of the phones used by the deceased shooters. That same day, the magistrate judge ordered Apple to write and digitally sign custom software to help unlock the iPhone 5C at issue. In an unprecedented move, the order required Apple to create a brand new version of its operating system with intentionally weakened security features, which the government could then use to get into the phone.
EFF and an unusually large group of tech companies, nonprofits, academics, and others all filed amicus briefs supporting Apple. Our brief focused on why the order the judge signed would have violated Apple’s First Amendment rights. Others wrote briefs about why the order would have been bad for our security, and why the order was not actually authorized under the All Writs Act, the law the government used to justify its outrageous demand.
If the FBI had won, 2016 could have become the year that the U.S. government obtained the legal authority to order American technology companies to create arbitrary backdoors in technology products. Indeed, the FBI’s demand was never about “just that one phone” and was all about creating legal precedent. Instead, the FBI found another way into the iPhone at issue and withdrew its illegal and unconstitutional demand without creating bad law.
The Burr-Feinstein Bill, or Another Way 2016 Could Have Been a Lot Worse
In April, less than two weeks after the Apple v. FBI fight ended with a whimper, crypto faced its next existential challenge. That challenge came in the form of a draft bill, proposed by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA). The draft bill would have created a new obligation on device manufacturers, software developers, ISPs, online services and others to decrypt encrypted data or offer “such technical assistance as is necessary” if ordered to do so by any court in the country.
The draft bill was absolutely terrible. Indeed, the language demonstrated an almost studied ignorance of everyday computer security practices that safeguard our devices and information from criminals. As written, the draft likely would have outlawed forward secrecy, an innovative security feature that many major tech providers, including WhatsApp, have implemented to limit the damage to user privacy in the event encryption keys are compromised.
Thousands of EFF supporters spoke out to oppose the bill, and many others joined us in a campaign to pressure Obama again to take a strong stance against encryption backdoors. That work paid off: congressional support waned and the Obama administration’s decision not to endorse the bill was key to the proposal being scrapped for the year.
The Investigatory Powers Act, or How 2016 Was Worse in the U.K.
While we ended up winning the Apple v. FBI fight and defeating the Burr-Feinstein Bill, we weren’t so lucky across the pond in the United Kingdom. This year, the Investigatory Powers Bill, introduced in draft form in November 2015, has become the Investigatory Powers Act and is now unfortunately law in the U.K. as of November 2016.
The law’s 245 pages codified the U.K. government’s plans to create a statutory basis for the country’s mass surveillance, data retention, and remote intrusion practices.
Several of the Act’s provisions are especially troubling. First, the Act grants the U.K. the power to issue a “Technical Capability Notice” (S.189), a secret order to a telecommunications operator (which the Act defines so broadly it includes companies like Apple) to force it to “remov[e] electronic protection applied ... to any communications or data” and to “provide facilities or services of a specified description.” Second, the law also grants the U.K. the power to issue a “National Security Notice” (S.188)—another secret instrument, even more vaguely drawn, that would require operators to “carry out any conduct, including the provision of services of facilities,” which the British government “considers necessary in the interests of national security.”
As Privacy International has noted, both of these instruments include gag orders that would prohibit Tim Cook from telling his customers what was happening.
Third, the new Act provides for “equipment interference”—the U.K.’s euphemism hacking in the popular sense of that term. It allows the U.K. to break into private devices and insert new code for the purposes of surveillance or extracting data.
The very questionable silver lining is that we don’t think that the U.K. government has taken advantage of the most dangerous provisions in the Act and forced backdoors into consumer technology… yet. We’ll be keeping a close eye on this one in 2017.
2017 and Crypto in the Trump Era
Pretty much all we can say with confidence about what challenges cryptography law will face in 2017 is that we’re sure there will be some.
President-elect Trump hasn’t said much on crypto directly, but during Apple v. FBI fight, Trump made it very clear he was on FBI’s side: “To think that Apple won't allow us to get into [the shooter's] cellphone? . . . Who do they think they are? No, we have to open it up.” He also called for a boycott of Apple until Apple caved. But like so much else, Trump has offered no specifics.
Trump’s nominee for Attorney General, Senator Jeff Sessions (R-AL), is widely speculated to be aggressively anti-crypto. Again, Sen. Sessions has offered no specifics, but does “believe this is a more serious issue than Tim Cook understands.”
Whatever 2017 and the Trump Administration bring, we’ll be ready for it. And you can be certain that we’ll fight as hard as we can for your right to use encryption without compromise.
This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2016.