Encryption, privacy and personal data protection: outlines of a contemporary debate
Written by
Diego Carvalho Machado (See all posts from this author)
14 de May de 2018
The importance of encryption and its impact on the law and society is a subject that has gained projection in Brazil with the recent course of judicial actions in the Supreme Federal Court – STF. Both (ADI 5527 and ADPF 403) deal with the issue of the blockage of online applications like WhatsApp – instant messaging application that uses end to end encryption technology to ensure the security and confidentiality of its users’ communications – under the relevant legislation, namely the Brazilian Internet Bill of Rights (Bill n. 12.965 / 2014).
At the public hearing organized by the Brazilian Supreme Court on June 2nd and 5th, 2017, encryption, and particularly the technical features and effects of end to end technology were discussed with emphasis. The decisions to be taken in these cases will be crucial for the development of the legal status of encryption in Brazil, considering that the functioning of the Supreme Court’s constitutional jurisdiction on may draw clear boundaries for the implementation and use of cryptographic technologies in the Brazilian legal order.
End to end encryption, regulation and protection of personal data
In general, cryptography is the science of encrypting the contents of a message in order to hide its meaning. The sort of encryption that is commonly associated with the end to end encryption refers specifically to the implementations that ensure that only the sender and the recipient of a message hold the technical means of encoding and decoding the content of the messages exchanged. In a sense, this specification “end to end” applied to encryption gets to be redundant as it repeats the very concept of encryption applied to communications – to keep safe the messages content from third parties, including intermediaries. The qualification, however, highlights the disapproval of any manoeuvre that seeks to allow that other than the main parties – or the “ends” of the communication – learn the content, as well as make it clear that exclusively the sender and the recipient will be able to apply the cryptographic tools.
The debate about the legal status of encryption is also intense in other countries. Recently, the Roskomnadzor, the russian telecommunications regulatory body, demanded the chat application Telegram to provide its encryption keys, based on a decision of the Russian Supreme Court. Despite the differences between Telegram and WhatsApp (e. g., the encryption keys management and protocols adopted), both systems make use of end to end encryption, yet the second does it by default.
The case began with the Russian Federal Security Service (FBS, the successor of the former KGB) request to Telegram to share their cryptographic keys. Encryption keys are basically essential tools to decode an encrypted information, ensuring for those holding it the possibility to know the encrypted content. The refusal to hand the keys, at that point, made the messaging service provider appeal to Russia’s Supreme Court, which rejected it. Thus, due to the violation of the court order, on April 16th the Roskomnadzor determined the blockage of the Telegram app all over the Russian territory.
Although, there are other regulatory initiatives that appear to be in totally opposite direction. In the ongoing debate to design the european electronic communications hallmark, for example, a more appropriate approach to the protection of information flow-related fundamental rights and legal guarantees seems to be considered.
In order to update and adapt the Directive 2002/58/EC to the european General Data Protection Regulation (GDPR, which will come into force on May 25th), in January 2017 the European Commission published the Privacy and Electronic Communications Regulation proposal. On the presented version with amendments by the European Parliament, it devises the inclusion of the §1-a in article 17, determining that the
“providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and integrity of the communication in transmission or stored are also guaranteed by technical measures according to the state of the art, such as cryptographic methods including end-to-end encryption of the electronic communications data”.
Incidentally, following this proposal, the Article 29 Working Party, which brings together data protection authorities from all European countries, clearly expressed its views in defense of particular interest of individuals and companies, and the public interest of governmental entities in the use of strong encryption. Furthermore, it asserted that “the mathematical foundation of cryptology does not provide the basis for a secure backdoor, and numerous examples have shown in history that master keys and back doors can not be kept secure”.
Plurality of encryption applications
In order to carry out an extensive and fruitful public debate for regulation of cryptographic techniques, it’s essential that in Brazil we also meditate over different ways to use cryptographic technologies, including encryption for device security, as well as encryption for operational safety.
The application of these techniques and encryption softwares on devices, such as smartphones, aims to ensure information security and data confidentiality of the digital content stored on devices. The FBI v. Apple case in 2016 was the most reported on such usage of cryptography. The police agency intended to break the iPhone’s security system of one of the San Bernardino terrorist attack suspects, in order to obtain the proofs, which the company claimed its virtual inability to perform without damaging all other Apple users security.
In the Crypto Colloquium, a multistakeholder meeting of experts that took place in Washington in September 2017, it was contemplated a scenario in which there were in place the technical means to build a system that ensures the availability of decrypted content (plaintext) to government officials within specified contexts. In the conjecture of such system being legally imposed, the Colloquium participants agreed on certain conditions to frame the mechanism. We emphasize the following: (i) it must be written into law, but without any provision of a mandated particular technological mechanism; (ii) rules clearly defined for data processing and data minimization; (iii) the regulation must be limited to encryption on devices; and (iv) the implementation of the system would be tied to the mobile network.
Even with this strict delimitation, it was concluded, however, that such a system of device exceptional access regime ensured to governmental entities would be effective for a short period, substantially expensive and probably risky for security in general.
Such conclusions are ratified even after the Ray Ozzie’s proposal of a key escrow system called Clear, released last month in an article published on Wired. According to its creator, the system would be able to properly respond the public security authorities’ demand for access to encrypted data, without creating significant risks to the security of billions of people who use encrypted devices. Nevertheless, the proposal has already received harsh criticism not only from the technical community – for instance, the opinion of cryptographers like Matthew Geen and Bruce Schneier – which, for decades, discusses this type of system and confirms its lack of security, but also from Silicon Valley giants.
As for encryption related to operational security, it consists on necessary implementation of informational security measures to protect the confidentiality of personal data processed in databases. The implementation of cryptographic technologies by the subjects responsible for the processing of personal data is the action that prevents or reduces the risks posed by the processing of personal data, such as the destruction, loss and accidental or unlawful alteration, and the release or unauthorized access to transmitted personal data, as stipulated in Article 32, 1, a, of the Regulation (EU) 2016/679.
Similarly, the Decree 8.771/2016, which regulates the Brazilian Internet Bill of Rights, provides, in its Article 13, specifying security guidelines on processing personal data and private communications that must be observed by internet service providers and applications, including “management solutions of records by techniques that ensure data inviolability, such as encryption or equivalent protective measures”. Hence, the use of encryption for operational security, besides already legally assigned in Brazilian law, is the only technology that is specifically mentioned in the regulation of the Brazilian Internet Bill of Rights.
Final considerations
The increasing presence of end to end encryption on debates about privacy and data protection proves the close relationship – and interdependence – between security and privacy. It is common to claim that without information security there is no privacy. And the reverse is equally truthful: if there were not a real and concrete demand for privacy and data protection, there would be no reason to even cogitate to implement information security measures.
At the time that discussions on a future data protection law in Brazil are maturing, it’s urgent that the legal system prepare itself to receive this new “digital citizenship”, in which citizens will have the rights and legal guarantees needed on their personal data. It’s crucial that key technical measures to make sure that the technology for the protection of privacy in digital (and smart) environments , such as encryption, can be used and put into practice without limitation that make it infeasible and harm citizens, public authorities, and the Brazilian technological sector innovation capacity.