Rights to Privacy or Not? - The Great Debate of the Cyber Age

Introduction

With the FBI challenging Apple and Google on encryption-by-default, and Robert Hannigan, the new head of GCHQ, outlining that leading US technology companies are supporting terrorist command and control networks, it can be seen that the debate for the rights of privacy against the rights of society increases by the day.

This debate is intensifying as the opportunity to properly protect digital artifacts increases with more powerful devices, and with the increasing threats around data leakage. In the US, there is thus increasing tension between the tech companies (mainly Microsoft, Google, Facebook, Youtube, Skype, AOL and Apple) between creating a balance of protecting privacy against the rights of society to detect malicious activities. While this is becoming more challenging in the US, in the UK, law enforcement has even greater challenges because they are working across legal borders, as much of the data is held outside the UK.

One of the greatest challenge for investigators is working across national boundaries, and UK law enforcement often struggle to gain access to digital information which is held within US-based Cloud infrastructures. Government departments in the US seem, though, to have a much stronger ability to release information from Microsoft for information within their Dublin-based Cloud infrastructure.

Mr Hannigan feels the tension and defines that, within high risk areas, that "privacy has never been an absolute right", and that extremist groups are using the Web to its maximum effect. His viewpoint is that, in the past, extremists have hid themselves on the dark areas of the Web, but with Isis they have used it to "promote itself, intimidate people, and radicalise new recruits."

The Tension between the tech companies and the law enforcement

In the UK, RIPA defines that law enforcement agencies can gain access to digital information on citizens, with the support of a warrant, whereas, in the USA, the PATRIOT Act has a much wider coverage for law enforcement agencies to obtain information on individuals, if relevant to counter-terrorism or counter-intelligence investigations. At the most extreme end, the USA PATRIOT Act is Section 215 allows the FBI to gain information from the Foreign Intelligence Surveillance Court related to international terrorism or espionage. This allows the US authorities access to personal data stored from within the EU by US-based companies, and which completely disregarding UK and EU legislation on data protection. These requests are known as National Security Letters (NSL), and are requests from the FBI to organisations, and should not relate to ordinary criminal, civil or administrative matters.

In 2013, Google published in its transparency report, that it received 53,356 requests for data affecting 85,148 accounts. The rate of acceptable of the requests ranges from 75% to 100%. For 2013, Microsoft received a total of 35,083 requests related to 58,676 user account, and which resulted in a rejection rate of 3.4% (although 17.85% of the requests resulted in no data being found). It can thus be seen that the majority of requests are accepted, and go forward to a disclosure of the requester.

As the Big Nine Internet companies finally gave into the PRISM Act, there is a general worry about the scope of the PATRIOT Act in the US. Thus the EFF (Electronic Frontier Foundation) have awarded gold stars to organisations for the following:

• Star 1: Requires a warrant for content.
• Star 2: Tells users about government data requests.
• Star 3: Publishes transparency reports.
• Star 4: Publishes law enforcement guidelines.
• Star 5: Fights for user privacy rights in courts.
• Star 6: Fights for user privacy rights in Congress.

The six star companies include Dropbox, Google, Microsoft, Twitter, and Yahoo, while Amazon gains two stars (stars 1 and 5), along with AT&T (stars 3 and 4).

Encryption-by-default

With Google’s Lollipop being released next week, with security will be at the core of its changes. An important element of this is in encryption-by-default, where users will have to opt-out of encryption of their files. Apple, too, with iOS 8 have taken the same route, and users must ask: “Why didn’t it happen before this?”

Our file attributes and content types have developed with little thought on keeping things truly private, and where systems are often still viewed as stand-alone machines. We also created an Internet which is full of the same protocols that we used in the days of text terminals and mainframe computers, where users typed in commands to access data, and where there was little thought about protecting the data as it is stored, analysed and transmitted. As we are increasingly move mobile, we are now carrying around our sensitive data, that at one time was protected behind physical firewalls, and the risks to our data increases by the day.

The major tension, though, is between law enforcement and the right to privacy. The FBI currently see the status quo as a way of investigating criminals and terrorists, but can see this opportunity reducing with encryption-by-default, such as with the file encryption system used in Apple's iOS 8. With iOS 8 and Google Lollipop there will be no electronic methods to access encryption keys from existing digital forensics toolkits, and thus the encryption method breaches current laws, which force users to reveal their encryption keys when requested by law enforcement investigators. This would mean that users may be breaching current laws in both the US and the UK. The same battle too exists with Tor, where law enforcement are scared that crime can go un-noticed, whereas privacy advocates promote the rights of privacy of using Tor.

No right to remain silent with Cryptography

In the UK, citizens have the right to silence (a Fifth Amendment Right in the US – related to the right against self-incrimination) but there is an exception to this related to encryption keys, and the failure to reveal encryption keys can often be seen as a sign that someone has something to hide, and is covered by Section 49 of RIPA. The move by Apple and Google may thus breach law as they must be able to hand-over their encryption key when required. This was highlighted in 2014 when Christopher Wilson, from Tyne and Wear was jailed when he refused to hand encrypted passwords related to investigations related to an attack on the Northumbria Police and the Serious Organised Crime Agency’s websites. He handed over 50 encrypted passwords, but none of these worked, so a judge ordered him to provide the correct one, but after failing to do this, he received a jail sentence of six months.

In 2012, Syed Hussain and three other men, were jailed for discussing an attack on a TA headquarters using a home-made bomb mounted on a remotely controlled toy car. Syed, who admitted have terrorist sympathies, was jailed for an additional four months for failing to hand-over a password for a USB stick.

The Perfect Storm

The main problem that we have with computer system security is that as computer systems have evolved we created file systems which only protect using file attributes. This works well from a corporate point of view, where we can keep comparability with previous systems, and also allow system administrators to keep full control of them. The mobile device operating system creators (mainly Google and Apple), though, have different issues to the traditional desktop operating system creators, as their devices are on-the-move, and often stolen or left behind.

As we increasingly integrate the mobile phone with our lives, especially in creating a digital shadow on the Cloud, the devices need to be more protected that our traditional desktops. Along with this, Apple and Google have complete control over their operating systems, and can implement radical changes in a way that Microsoft would have struggled with (and still keeping compatibility with an operating system released over a decade ago: Windows XP). So Apple and Google are not constrained by the past, and find their hardware platforms are whizzing along with increased processing speeds and memory capacities, in a way, again, that Microsoft would struggle with, as they have so much legacy hardware that would struggle with modern cryptography.

So Apple and Google now find themselves with a market that will quick change their mobile devices and keep up-to-date, and this do not have the long tail of devices to support. If a user wants to stick with a certain operating system, they can, but there's a good chance that their applications won't work. With phone manufacturers pushing new phones all the time, both Apple and Google are keen too to plug the gaps in traditional operating systems, especially related to security, and they have the perfect storm with SSD (rather than the horribly slow HDDs), and fast multi-core processors, each which now make encryption possible on a device that fits in your hand. Gone are the days when you needed a special maths chip to do complex cryptography.

Conclusions

We are increasingly creating a long digital shadow in the Cloud, and this information is typically stored within the cloud infrastructures created by US-based companies, such as Google, Microsoft and Apple. It has been seen that these companies often must comply with the PATRIOT Act, even when it overrules European data protection laws. Law enforcement agencies in the UK often struggle to gain access to US-based information, thus agencies within the US have an advantage over their UK based equivalents.

For Yahoo, from being criticised for being one of the first Internet companies to comply with requests related to PRISM, they have now been shown to actually have fought against the request. For them they have fought to release the documents around the fine, in order that there is some transparency around it. For the major Internet companies, such as Microsoft, Google, Facebook and Apple, there is a strong focus on user trust, and they are keep to make sure that they can build trust with the user, in that the companies will fight on their behalf against PRISM requests.