We are pleased to announce that as of today, additional signatories to the FPF/SIIA Student Privacy Pledge include Aegis Identity, Agency for Student Health Research, Avepoint, besimpler, CPSI Ltd., Google, Khan Academy, Kidhoo, makkajai, MMS, National Student Clearinghouse, Navvie, Ripple Effects, Student Lap Tracker, and Tools4Ever.
Readers know we support responsible beacon technology practices. Today’s story illustrates how airports can provide real-time updates about travel plans, accommodations, and flights to travelers by using beacons.
According to Luxury Daily, recent surveys show 53 to 77 percent of travelers in the United States would like for airports to send real-time updates on gate changes and flight times to their mobile phones. Companies like Swirl believe that because beacons can offer travelers a valuable and personalized the mobile experiences, travelers would be to share some level of personal information. However, this is an opt in service: a customer or traveler would first need to download a mobile app and opt-in to receive these beacon-triggered messages and content.
Some airports, like the Miami International Airport, have rolled out programs that use beacons to help users find the correct gate and send push notifications for restaurant and store deals when travelers are walking around. Airports and travel brands who are interested in implementing beacon technology must be willing to invest in some infrastructure or technological changes, and develop partnerships with retail brands and mobile payment solutions.
This opt-in use of beacons in airports is just one example of the many ways beacon technologies are growing this year, and providing value to mobile users in a privacy friendly manner.
The Pledge Is A Strong Means Of Protection For Student Personal Information
Supporters include Microsoft, Apple, Amplify, Houghton Mifflin Harcourt, Edmodo, Lifetouch, Knewton, Code.org, Shutterfly, Clever, eScholar, Class Dojo, DreamBox Learning
Washington, D.C. – Monday, January 12, 2015 – President Obama today strongly endorsed the Student Privacy Pledge, calling for more companies to make a firm commitment to using student data only for educational purposes.
“We developed the Pledge to provide a way for school service providers to clearly explain to parents, students and teachers how data is being used to support student education”, explained FPF Executive Director Jules Polonetsky. “And, in a gridlocked Congress where federal legislation faces challenges, the Pledge creates an immediate and enforceable legal code for companies that sign on. The Administration was instrumental in helping to get the word out, and its support early on was important to many companies being interested.”
In October 2014, The Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) announced a K-12 school service providers Student Privacy Pledge to safeguard student privacy – outlining a dozen commitments regarding the collection, maintenance, and use of student personal information.
Seventy-five companies have now signed the Pledge to publicly declare their commitment to student privacy and to make a legal promise to follow the principles. The Pledge is effective as of January 1, 2015.
The Pledge commitments detail ongoing industry practices to ensure responsible, fair handling of student data. The Pledge applies to all student personal information whether or not it is part of an “educational record” as defined by federal law, and whether collected and controlled by a school or directly through student use of a mobile app or website assigned by their teacher. It also applies to school service providers whether or not they have a formal contract with the school.
Signers of the Student Privacy Pledge have committed to:
The Pledge was developed by the FPF and SIIA with guidance from the school service providers, educator organizations, and other stakeholders following a convening by U.S. Representatives Jared Polis (CO) and Luke Messer (IN). The Pledge has been endorsed by the National PTA and the National School Boards Association.
“Congressmembers Polis and Messer help kicked off the idea of a pledge and were critical to hammering out a privacy friendly set of rules that ensure data is protected and used to benefit student education,” said Jules Polonetsky, exec director of the Future of Privacy Forum
The initial leadership group of companies that launched the pledge in October included Amplify, Code.org, DreamBox Learning, Edmodo, Follett, Gaggle, Houghton Mifflin Harcourt, Knewton, Knovation, Lifetouch, Microsoft, MIND Research Institute, myON (a business unit of Capstone), and Think Through Math.
The full text of the Pledge and more information about how to support it, including a list of current signatories, are available at http://studentprivacypledge.org/.
A Practical Privacy Paradigm for Wearables is available to read here.
* * * * * *
Only a week into 2015, and already it looks to be the year of wearable technologies. At this year’s International Consumer Electronics Show (CES), wearables and the Internet of Things have dominated the conversations and the exhibition halls. With 900 Internet of Things exhibitors at the conference, it’s clear that consumers will be offered many new ways to immerse themselves in connected life. More than just fitness bands and smartwatches, consumers will soon be reaching for “smart” tennis rackets, coffee makers, pacifiers, stovetops, and pet accessories.
However, as FTC Chairwoman Edith Ramirez reminded us all yesterday in a speech at the CES conference, the Internet of Things is a complex system with “the potential to provide enormous benefits for consumers,” but also “significant privacy and security implications.” The Chairwoman’s speech focused on three key privacy challenges arising from the IOT, as well as three key steps companies can take to enhance consumer trust and ensure that consumers will continue to adopt these new technologies. The three core privacy risks she highlighted were: “(1) ubiquitous data collection; (2) the potential for unexpected uses of consumer data that have adverse consequences; and (3) heightened security risks.” To help mitigate these risks, Ramirez believes that companies should: (1) adopt “security by design”; (2) engage in data minimization; and (3) increase transparency and provide consumers with notice and choice for unexpected data uses.
The Future of Privacy’s new paper, A Practical Privacy Paradigm for Wearables, addresses these same concerns. The paper examines how wearable technologies are challenging traditional applications of the Fair Information Privacy Principles (FIPPs) and why policymaking in this area requires a forward-thinking, flexible approach to these concerns. The FIPPs have long provided the foundation for consumer privacy protection in this country, and still embody core privacy values. However, a rigid application of them may not always be feasible in the fast-paced world of wearables and the nascent IOT. Both the technologies and social norms around these devices are developing quickly, and holding innovative new designs and data uses to privacy standards developed for other industries could stymie the next technological revolution.
We certainly agree with Chairwoman Ramirez that the IOT creates new and challenging privacy risks, and that traditional privacy principles like notice and choice and data minimization will play an important role in these spaces. However, we urge policymakers to take a nuanced approach to the application of these principles to wearable devices, particularly in these early days of their development. As the Chairwoman noted, it will take the “ingenuity, design acumen, and technical know-how” to provide consumers with useful notice and choice for their wearables. Wearables come with as many shapes and sizes as consumers, and one-size-fits-all solutions will not be feasible.
Another challenging issue our paper examines is the intersection of wearables and Big Data, as wearables’ capacity for granular ubiquitous data collection both opens the door to new and important health, efficiency, and personal benefits, but also to significant privacy risks. We agree with the Chairwoman’s caution against collecting and holding consumer information on the mere off-chance that it could become valuable someday. However, we also believe that novel data uses do sometimes develop from data collection that is based on speculative or “pure research” purposes and that allowing for these uses is essential. In order to unleash the benefits of big data, researchers and organizations need the opportunity to look for unanticipated insights in datasets like those that might be created by consumers utilizing their wearables to ubiquitously track their own activities.
Rather than immediately imposing restrictions on data collection, we believe organizations should engage in comprehensive risk-benefit analyses of both the potential risks and potential rewards of putting data to a particular use. FPF has previously published a methodology for this sort of serious assessment in our paper Benefit-Risk-Analysis for Big Data. By identifying and quantifying both the risks and benefits of handling data in a particular manner, companies can more rationally determine when a certain use is appropriate or when to scale back data collection. “Trust us” is not a sufficient rationale for careless handling of consumer data by companies, and comprehensive risk-benefit analysis prevents thoughtless decision-making. By engaging in case-by-case balancing, we can allow for novel data uses and big data breakthroughs only when and where the benefits to individuals and society outweigh their risks.
In addition to examining the need for common sense applications of the FIPPs, the paper presents a variety of industry solutions necessary to support such a framework. We wholeheartedly support the Commissioner’s call for security-by-design, recommending that “organizations be prepared to defend consumers’ personal data against both internal threats, such as curious employees, and external threats, such as hackers or scammers,” as well as her recommendation that organizations engage in practical de-identification practices. We also suggest companies respect the context of data collection, be transparent about how they use consumers’ personal information, provide reasonable individual access to data, and help develop binding codes of conduct for wearables.
2015 may be the year that wearables go mainstream, both for consumers and for privacy professionals and policymakers. While companies continue to develop new ways to connect our digital and physical worlds, there are many more discussions to be had about how these devices will fit into our lives. The wearables industry needs time to mature, and users need time to learn what they want and expect their wearables to do for them and with their personal information. Already, companies and platforms, such as Apple HealthKit and Google Fit, are developing baseline rules to protect consumers’ privacy. Moving forward, we urge policymakers to adopt a forward-thinking, common sense application of the FIPPs in the wearables space.
– Kelsey Finch
At the start of the new year, one of the most anticipated video games of the year was Watch_Dogs, an open-world experience where players played the role of a hacker living in near-future Chicago, racing around the city using a mobile device to retrieve sensitive data and harnessing augmented reality feeds to pick up information about non-player character’s demographic data or potential in-game behavior. The game not only highlighted current concerns about privacy, but it got me thinking about all the many privacy issues at play in the world of video games.
Many of these issues are similar to work FPF has already done in the mobile space with regards to apps and online services, but as a long time gamer, these data collection and use issues were things I didn’t really think about when picking up a controller in front of my television. Modern games collect data such as a player’s physical characteristics (including facial features, body movement and voice data), location and nearby surroundings, biometrics, and information gleaned from one’s social networks, to start. Additionally, within the game environment itself data analysts monitor in-game behavior in order to discover a great deal about a gamer’s mind: from their temperament to their leadership skills; from their greatest fears to their political leanings.
The use of data is rapidly changing the gaming landscape, leading to a whole host of new innovative ways to play, but also potentially giving this gamer some pause. I teamed up with Joe Newman, now at Electronic Arts, and Chris Hazard, a game developer and researcher, to survey privacy issues in video gaming. Our paper, Press Start to Track?, was presented at the 2014 Privacy Law Scholars Conference, and was this week published in the journal of the American Intellectual Property Law Association.
If interested in the subject (but unable to do a deep dive), Joe and I blogged about some of our thoughts on The Escapist and our thoughts for how data-hungry game developers can build trust with gamers at Gamasutra.
-Joseph Jerome, Policy Counsel
Today, Joe Newman, our former legal and policy fellow, started working as a privacy attorney at Electronic Arts, one of the largest video game companies in the world. While at FPF, Joe was vital to our projects reviewing the U.S.-EU Safe Harbor and the implementation of “Do Not Track,” but he identified early on some of the interesting legal and privacy issues in the gaming space. I was pleased to be able to collaborate with Joe on a paper scoping out some of these issues, and the end result, Press Start to Track: Privacy Questions Posed by Video Game Tech, is slated for publication this month. There’s no question Joe is well-positioned to the take the privacy world by storm at EA.
He also joins the long list of FPF alumni who have gone on to interesting positions across technology and privacy. Joe’s co-fellow, Sarah Gordon, left FPF to work in-house at Zillow, the West Coast-based online real estate database, and previous fellows have gone on to work at American Express, Nielsen, and Promontory, among other ports of call.
But as our alumni move onward and upward, FPF is always looking for new law graduates and would-be policy wonks to join us! If you are interested in joining us and applying to work as a fellow at FPF, please get in touch at [email protected].
-Joseph Jerome, Policy Counsel
Earlier this week, FPF’s Kelsey Finch spoke to Red Herring about 2015’s biggest challenges, and how enterprise and consumer technology can come together to combat privacy issues.
Q: What have been 2014’s biggest privacy problems, in your opinion? Do you see them being fixed any time soon?
A: Throughout 2014, we learned how vulnerable our personal information can be. It seemed like every week a new data breach was announced and sensitive data flooded the internet, including everything from celebrity nudes to medical records, taxi locations to home webcam feeds. Not to mention hundreds of millions of credit and debit card numbers stolen from retailers, banks, and other companies.
Hopefully, in the coming year we’ll see consumers and companies alike learning from these experiences and practicing better online security.
…
For more, continue reading here.
At today’s FCBA brown bag lunch, FCC Enforcement Bureau Chief Travis LeBlanc discussed the Commission’s recent entrance into privacy enforcement and fielded questions as to what companies might do to avoid running afoul of the Enforcement Bureau. LeBlanc emphasized the innovation continues to outpace regulators, noting that much of the Commission’s investigative and enforcement work is a five to seven year process. “We’re at the point where we’d be having the Supreme Court judge [problems] with first-generation smartphones,” he mused. He highlighted the Commission’s recent decision to join the Global Privacy Enforcement Network as an effort to help keep pace with change in technology.
Kelley Dyre’s John Heitmann pressed LeBlanc on the FCC’s notices of apparent liability (NALs) against TerraCom and YourTel, which he suggested interpreted Sections 222(a) and 201(b) of the Telecommunications Act in novel ways to protect consumer privacy. Section 222(a) states that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to …customers.” While this has long been the basis for the FCC’s security rules around CPNI, but LeBlanc argued that Section 222 does not limit the duty of carriers to protecting only CPNI. He admitted that for “folks in the industry, in the media, and in the privacy community, there was an ‘uh huh, interesting’ moment” regarding the Commission’s interpretation, but he suggested this interpretation has been used to support other privacy work within the FCC, “if not squarely in the enforcement context.” He argued that Section 222’s protection of proprietary information was designed “to encompass the protection of information customers intended to keep private, which includes PII” and is more than just CPNI as defined by the FCC. “Going forward, fair to say, that’s the concept we’ll be using in our work,” LeBlanc stated.
LeBlanc also explained that Section 201(b), which prohibits carriers from engaging in unjust and unreasonable business practices, must be viewed as being co-extensive with Section 5 of the FTC Act. “It’s a basic consumer protection tool that we use to ensure carriers can’t engage in unjust practices,” he said, citing a recent settlement against AT&T for “cramming” extra charges onto consumer bills as an example of how to apply Section 201. He explained that the application of this interpretation within the context of policing privacy practices is “an iteration of that view and not a transformation.” Echoing the FTC’s actions on privacy policies, LeBlanc emphasized that the FCC hoped “to marry [company’s] language with their practices.” He added that the cramming settlement shows that the FCC is focused on conduct that directly harms consumers. The Enforcement Bureau, he suggested, was not interested in technical rules violations where no one was harmed or impacted. He also suggested it was important to differentiate between breaches of personal information, such as credit cards, that can be remedied and those that cannot such as Social Security number breaches. “In that circumstance, [a person’s] identity may be stolen or it may not, but no one’s going to re-issue you a Social Security number.”
LeBlanc spoke at length about the differences between the FCC and the Federal Trade Commission, the nation’s primary privacy cop. “We’re a regulatory agency with rule-making authority in contrast to the FTC, which is a primarily a policing agency,” he explained. “The benefit of having a law enforcement unit in the same angry as the one making the rules [is that] we can go talk to them before we do an enforcement action. If we’re going to do anything, we need to pick up the phone first. . . . It is impossible for anyone writing laws or rules to anticipate every circumstance out there you intend to bar, so you leave some part of it ambiguous. That’s an advantage over doing enforcement independently. There are risks that an enforcer could exploit a small error in the language of a statute.” He suggested housing both rule-making and enforcement in one entity improves effectiveness and efficiency.
The ramifications of the Commission’s recent $7.4 million settlement against Verizon for its past failure to notify consumers of their opportunity to opt-out of marketing using CPNI information were also a key topic of discussion. LeBlanc suggested the more interesting parts of the settlement were its non-financial terms. He applauded Verizon’s decision to include a notice of consumer opt-out rights in every monthly bill going forward. He suggested more notices like this give consumers the ability to evaluate (and rethink) their decisions to share information. He also suggested that CPNI rules move away from unclear “reasonable standards” and place stronger protections on customer’s proprietary information.
LeBlanc also reiterated his desire to see companies admit to wrong-doing in settlement actions. He suggested that negotiations with Verizon were already on-going at the time the Enforcement Bureau announced a practice of seeking admissions of liability or facts in settlements. Explaining that FCC settlements were designed to provide guidance to others engaging in similar conduct, “the only way to effectively do that is to provide some detail into what a company did that was wrong.” He was also dismissive of notions that admissions-of-wrongdoing would impede the ability of companies either to retain business or gain government contracts. “I don’t think that’s true,” he said, suggesting settlements could be narrowly worded enough to protect companies from that sort of sanction.
Turning to emerging privacy issues, LeBlanc emphasized that he hoped to prevent industry mistakes rather than to respond after the fact. “Where I can provide guidance to the industry to operate in compliance with the law, I’d like to do that,” he said. His chief recommendation was for companies to do better with their privacy policies. He admitted that the lack of baseline federal privacy law forced him, as well as other agencies, to “work on the representations industry makes,” pointing to existing FTC practice. He suggested that the SEC will be interested in this moving forward, as well.
“We understand that sometimes companies are victims,” he said. “They are targets — no pun intended.” He pointed to some of the “mitigating practices” companies could pursue in the event of breaches, including (1) notifications when information was compromised, (2) credit monitoring services, and (3) providing hotlines or websites to consumers. He also highlighted the importance of chief privacy officers, training, and the adoption of industry best practices and security audits. That said, he also appeared skeptical of some common “excuses” for breaches such as (1) errant employees, (2) technological glitches, and (3) contractor practices. “The company that collects personal information from the consumer, that has that relationship with the consumer, is responsible for protecting it [downstream],” he said. “That duty cannot be out-sourced.”
Finally, Heitmann could not avoid asking LeBlanc whether all of his comments might apply to broadband services in the event the FCC reclassifies broadband under Title II. “Wouldn’t you like to know?” LeBlanc laughed. “I cannot speculate on what the Commission is going to do in this context . . . We will stand ready and prepared to meet the Commission’s goals.”
Local Search Association and Future of Privacy Forum release a simple and concise primer that explains how the Bluetooth devices work and how privacy friendly controls ensure user control.
As competition for fickle and frugal holiday shoppers kicks into high gear, traditional retailers are seeking new ways to bring consumers into stores and provide them with improved shopping experiences. Leveraging near ubiquitous smartphone adoption, Bluetooth beacons have emerged as one of the more popular tools in this quest.
While beacons have many non-commercial uses, the US retail industry is where much of the early beacon adoption has come. And though they’re just one of several indoor location technologies, beacons have emerged as the leader because of their low cost and relatively simple deployment.
“Indoor location and beacons have a very broad array of potential applications,” said Greg Sterling, VP of Strategy and Insights for the Local Search Association (LSA). “Through mobile apps, they can help deliver content, promotions or enhanced information in real-world contexts such as stores, airports and hotels.”
The novelty and excitement surrounding beacon technology has generated considerable media attention. Yet beacons are generally not well understood. The LSA and Future of Privacy Forum (FPF) created “Understanding Beacons: A Guide to Bluetooth Technologies” to address some of this confusion and the many misperceptions about how beacons operate.
“Beacons are a privacy friendly technology because apps that interact with beacons are controlled by users,” explained FPF Executive Director Jules Polonetsky. “The settings on leading mobile operating systems ensure that users opt-in before beacons can be used and before users can be contacted.”
The six-page guide straightforwardly explains how beacons work and provides examples of current use cases in the market. It also clarifies and dispels common misunderstandings about beacons and consumer privacy.
Understanding Beacons explores the following questions:
For those unfamiliar with beacons, their capabilities and technical limitations, Understanding Beacons will provide a very useful overview and introduction. The document is free and available here.
Download: “Understanding Beacons: A Guide to Bluetooth Technologies”
In the wake of Apple and Google’s recent decision to implement “whole device encryption” on their latest mobile operating systems, the FBI has warned that the tech giants’ actions will force law enforcement to “go dark” when it comes to keeping tabs of criminals. FPF has previously explored the question of encryption and law enforcement access, and encourages efforts by tech companies to make their devices and services more secure.
In the wake of Snowden’s revelations about government surveillance last year, there has been a renewed conversation about whether communications technology is sufficiently secure. At minimum, encryption helps to protect users against unauthorized access to their personal information. The question now facing policymakers is whether improvements in technical security must be sacrificed to enable lawful government access.
Kicking off a conversation on the merits of device encryption, Chris Wolf wondered whether today’s debate was simply a repeat of the crypto wars of the 1990s, or whether a new security balance ought to be struck. Wolf discussed that and more with Georgetown Law’s Carrie Cordero, Amie Stepanovich from Access Now, and Cato’s Julian Sanchez, who stepped away from planning a full-day symposium on the larger issue of government surveillance.
A Renewed Conversation about “Going Dark”
Cordero noted that the concept of “going dark” is nothing new, but stressed that there were significant differences between how the debate was waged in the 1990s versus today. Whereas previously the FBI was concerned about the ability to engage in real-time surveillance, it now has very real concerns about its ability to lawfully obtain stored information. This has changed since Snowden the aggressive implementation of encryption and other technologies by tech companies.
“Why are we talking about encryption now?” Stepanovich mused. “Computers have had default encryption on hard drives for many years without anyone raising an eyebrow, but now because it’s on a phone it’s different?” She argued that the current debate is inexorably tied to concerns about surveillance in the wake of the Snowden revelations. “The conversation we’re having isn’t because governments were going after bad actors, but because they were going after everybody. [We now know] how robust the efforts are to get access to your data when access can be gotten. If there is any vulnerable point . . . somebody is probably going to break in and get the data,” she stated. “[Encryption] comes from an abuse of gathering information.”
Wolf pushed back, asking whether such a decision ought to be made as a matter of public policy and not by device manufacturers. Stepanovich countered by suggesting one take a larger view: “These devices are sold around the world. If we start looking at the risk to the user worldwide, it becomes unacceptable . . . not to offer the most security they can offer.” Encryption should be viewed not as an unnecessary obstruction, but rather as an additional protection from unauthorized access to personal information.
However, Cordero cautioned against abandoning efforts to work on technical solutions to protect users against bad actors and allow compliance with law enforcement. She stressed that there remained a societal interest in preserving the capacity of law enforcement to serve lawful process to investigate crimes and national security threats. “What the government is talking about now is the ability to serve a court order,” she said.
What’s the Honest Impact?
Sanchez was skeptical of government’s ability to calculate how encryption actually impacts law enforcement. “We’ve been ‘going dark’ for a long time according to the government,” he stated. He highlighted lots of different ways that law enforcement can gain access to information without physically accessing a mobile device, and suggested that it was quite possible for an individual to be held in contempt of court and jailed for refusing to unlock an encrypted phone. While all conceded the Fifth Amendment protections against self-incrimination are murky at best when it comes to being compelled to unlock an encrypted device, Cordero cautioned that holding individuals in contempt was not a useful mechanism when time is of the essence. “Contempt proceedings aren’t going to be particularly satisfying for law enforcement,” she explained.
“We basically need magic,” Sanchez responded, critiquing the government’s position. He cautioned against treating tech companies like “magicians” and highlighted The Washington Post editorial board’s recent call for “golden keys” that would only work for law enforcement. Technical experts and security researchers largely agree that implementing any sort of hidden access feature also introduces exploitable vulnerabilities, he explained.
He also made the point that Apple’s “soup-to-nuts” business model, with its walled gardens and closed systems, is largely unique. “A general premise in computing is that someone will sell you a computer that comes pre-installed with things like Windows, and you could install other software like Linux,” he explained. “That’s an important value that’s given rise to a tremendous amount of innovation.” Comparing Apple’s mobile device business model to Android’s, which is largely open-source, Sanchez explained that the government’s position effectively wages a war on open-computing. “It’s not possible to force people to keep a backdoor they don’t want, or any attempt would be extraordinarily destructive,” he explained.
Looking Forward on Device Encryption
Wolf asked each panelist to preview where the conversation would be a year from now. Sanchez flippantly suggested public discourse would continue to be filled with “hypotheticals cribbed from The Blacklist.” Stepanovich noted that this debate has been ongoing in some form for decades, and we will likely be in the exact same place a year from now. She argued the only positive change could come from revisiting the logic behind the Communications Assistance for Law Enforcement Act (CALEA). She suggested that privacy advocates were largely playing defense rather than offense. “We need to put a law on the books [that states] government cannot force companies to put in a backdoor that makes users less secure,” she stated.
Cordero offered a different perspective. “If law enforcement is serious about pursuing this issue, they’re going to have to make the case.” Noting that many of the FBI’s most recent anecdotal examples of “going dark” have been debunked, she suggested the law enforcement needs to develop a more comprehensive factual record. “In the 1990s, the FBI presented a range of statistics and data that demonstrated factually that there was a situation requiring legislation. As well as GAO reports and independent studies. We need additional facts.”
At its core, she continued, this debate is the same argument as was against CALEA in 1994. “We made a judgment then [that forcing companies to comply with law enforcement] was a valid purpose,” she explained. If companies are no longer required to preserve that capability in the future, it will become costly for government to adapt as technology rapidly evolved.
Sanchez disagreed with comparisons to CALEA. He explained that CALEA applied to a small number of telecoms with centralized hubs, and there is a huge difference between what CALEA accomplished and what is being proposed now. “What we’re talking about now is forcing an architecture used by hundreds of millions of consumers that would preclude devices from running arbitrary code,” he argued.
Stepanovich returned to Cordero’s point that device encryption could prove costly to law enforcement. She noted that “tech has trended the other way.” Instead, technology has largely decreased the cost of government surveillance (which FPF Senior Fellow Peter Swire has also explained as leading to a “golden age of surveillance”). “Things like encryption counter that dip in price by forcing law enforcement to invest in more targeted surveillance,” Stepanovich said, which should be encouraged.
A Big Policy Choice: To Kill Encryption of Not?
Encryption, Stepanovich concluded, “gives users the ability to control their own data and gives them an option.” Highlighting was has been called “the least trusted country problem,” the costs of encryption must also be weighed against the effects of surveillance in other countries, which lack the legal safeguards of the United States.
Tech companies are responding to market pressures to do more to secure information, and additional encryption options are the result. The panel largely agreed that law enforcement still has alternative ways of accessing most of the information being encrypted on a device. “No body wants perfect encryption,” Sanchez concluded. “We forget our complicated pass phrases, and then everything is irretrievably lost.”
More discussion on the matter is clearly needed. As Cordero explained, “Law enforcement and national security may continue to stress this issue.” However, she also acknowledged that the issue may well be “politically impossible” to address.