PI response to confused governments’ confusing declaration of war and victory on encryption

News & Analysis
Crypto

Today’s announcement regarding the UK and US agreement signed pursuant to the US CLOUD Act is being touted on both sides of the Atlantic as a major victory for law enforcement and security. But it is a step backward for privacy.

And it’s far more complicated than their press release and letter to industry.

The agreement replaces the prior system, under which law enforcement agencies from around the world, including the UK, had to meet US legal standards in order to get access to content held by US service providers - like Facebook and Google - in the US. It turns out the US protections with regard to such content are in fact robust - requiring proof of probable cause before that content can be turned over to law enforcement. This was protecting many people across the world.

The MLAT system, which the new UK-US agreement replaces with regard to the UK, is flawed.  But its flaws are mainly logistical. The US government does not devote enough resources to processing requests from other countries - leading to a backlog. Instead of choosing to spend more money, the US has decided to let other countries get access to content stored in the US under their own legal regimes - most of which are not as privacy protective. For instance, we’ve often written about the flaws in the UK regime and do so again here. Indeed, even in its first case study released today, the UK Home Office notes it struggled to meet the US probable cause standard. It is unfortunate that the US has chosen to permit the UK to side step such privacy protections instead of investing more in improving the MLAT process.

The UK is also not to be satisfied. In addition to its new found access under the CLOUD Act agreement, the UK is yet again calling for significant restrictions on encryption of communications and devices. End to end encryption protects the communications of people across the world; from protestors in Hong Kong, to journalists in Colombia, to human rights defenders in Egypt. Aid workers and humanitarian operations. Encryption protects all of them. Either it is turned on for everyone, or broken for everyone.

Device encryption helps make sure that our lives are not laid bare to others when our laptops or mobile phones are lost or stolen. (See our guidance for politicians on understanding encryption policy.)

In seeking to improve the strength of the encryption applied to our communications, Facebook is trying to be a good actor (something we do not say often in the privacy context). Building more secure systems is important for everyone and urgent.