Sapsiwai - Fotolia
Las Vegas -- There are many ways in which government and law enforcement agencies attempt to get enterprises to comply with data requests, but experts say there is little legal support for those requests.
The Stanford Center for Internet and Society's Jennifer Granick, director of civil liberties, and Riana Pfefferkorn, cryptography fellow, said at Black Hat 2016 that companies are often under no legal obligation to comply with law enforcement data requests, because data requests are not orders and even court orders are not the law.
Granick said that under most of the legal statutes cited by law enforcement in data requests companies have the right to fight back over "issues of appropriateness, necessity, burden [and] security." Although she warned that even these issues can have murky definitions.
A meaningful burden could include the amount of work required to comply with the data request, potential damage to customers or financial or competitive damages to a company.
Granick and Pfefferkorn said many data requests fall under just a few statutes like CALEA, the Pen Register Act, the Wiretap Act and the All Writs Act. However, each of these statutes has limitations that should be understood.
CALEA only applies to companies that aim to replace phone lines, Granick said, like VoIP services but it does not apply to internet services in general. The Pen Register and Wiretap Acts only apply if the technical assistance requested is "unobtrusive and necessary." The All Writs Act was written in 1789 and predates the Fourth Amendment, so it is still unclear if that act can be extended to modern technologies.
Additionally, Pfefferkorn said, these statutes stipulate companies should decrypt data if the provider has both the data and the decryption keys, but doesn't extend much further than that.
"General practice here has been that if the provider has the data and has the capability to decrypt it, they generally do so," Pfefferkorn said. "But is that actually correct? Is that right under the law? We don't know but this has been sort of the de facto law created by convention."
In cases such as the recent battle between Apple and the FBI where the company, in this case Apple, didn't have the keys necessary to decrypt the data, these statutes do not apply. Pfefferkorn and Granick said the law is unsettled but there are "strong legal arguments" companies can use if asked to decrypt data, provide encryption keys or find ways around encryption, including creating new software, signing malicious software updates, or creating encryption backdoors.
"There is no obligation to build backdoors," Granick said. "And in fact there's really no obligation under CALEA to build in decryptability either. So there is no obligation under the law to put in backdoors. The upshot of CALEA and statutory authorities is that end-to-end encryption is legal. Period."
However, Pfefferkorn warned "If you build in backdoors, they will come. If you build in your own tools for access to encrypted data don't be surprised if law enforcement wants to use those tools for their own purposes."
"Historically there was very little that companies were obligated to do under these technical assistance measures but [what] the government asks," Granick said. "Remember that requests are not orders, orders only come from the court. And even court orders are not a law. This is a very unsettled area of the law and judges in these ex parte hearings can sign things that are not substantiated in the law and cannot be enforced. That means companies need to exercise their independent judgement."
Pfefferkorn said companies should consider fighting back against government data requests, if they have the resources to do so, but they need to be careful about when to fight back.
"Think about how strong the legal arguments are on your side and on the government's side because you need to choose your battles," Pfefferkorn said. "Not every order that you get might necessarily be worth pushing back on and if you lose, it's possible that you're not just going to have a bad outcome for yourself, you're going to make bad law for everybody else. Figure out how to push back intelligently where you can and please, please talk about the demands you get if possible."
Read about why metadata means there is no "going dark."