In the wake of news from Reuters on Friday that a federal court in California rejected Department of Justice demands that Facebook break, bypass, or remove the encryption in its Messenger app, it’s worth noting how little we still know about such an important dispute.
Depending on what specific relief the government sought from the court, the case may signal a potentially significant threat to the security of Internet-based communications. In a hyperconnected world, the implications of the government’s demand for expanded surveillance capabilities go far beyond any legitimate law enforcement equities in any single case.
Yet almost nothing is known about the details of the Facebook case because the records remain under seal. Absent more information, the public has no clear way of assessing the impacts for security that are at stake.
Based on Reuters’ account, we believe the government likely relied on a provision in the Wiretap Act, 18 USC § 2518(4), allowing courts to compel third parties (such as communications provider and landlords) to assist in implementing a criminal electronic surveillance order. If press accounts of the government’s demands (and our interpretation of them) are correct, we firmly believe that the approach is worrisome and misguided for at least three reasons.
First, if eventually granted, such an order would undermine the effectiveness of a technology—encryption—that is a critical enabler of security for consumers, businesses, and even governments. Privacy vs. security is a false choice; strong encryption is foundational to protecting the security of information against cybercrime attacks. Furthermore, as the Snowden leaks made all too clear, secret attempts by governments to undermine the security of technology can backfire —damaging the economic prospects of companies competing in an increasingly global marketplace.
Second, the government’s approach, if accepted in this or other proceedings, would upend a balance carefully struck by Congress—after vigorous public debate—regarding which communications providers should have an obligation under the Communications Assistance for Law Enforcement Act (CALEA) to facilitate law enforcement wiretaps on their systems or networks. Under CALEA, those providers who offer covered services in the US must be capable of implementing a wiretap upon receipt of a lawful order from the courts—and cannot argue that their technology is incapable of doing so. But in determining who offers a “covered service,” Congress specifically exempted “information service providers,” including “electronic messaging services” like Facebook Messenger.
Put simply, the bounds of mandatory law enforcement assistance were drawn by CALEA so as to exclude the precise relief the government appears to seek in the Facebook case. Prosecutors cannot ask Courts to bypass these CALEA restrictions in the guise of a wiretap assistance order.
Third, this interpretation of the assistance provision in the Wiretap Act would represent a dramatic expansion of the government’s authority to commandeer services in ways that interfere with their expected use. As the 9th Circuit made clear in The Company v. US, the government must minimize interference with the service that is being provided to the subject of the investigation when commanding assistance of a third party under 18 USC § 2518(4). Where security of the communication is integral to the service, removing encryption would likely violate the “minimum of interference” requirement in the statute by preventing the delivery of the promised service—secure messaging or communications.
And if the government cannot use its authority under the Wiretap Act to deprive the use of contracted services , it should certainly not be allowed to use that authority to impact the security of other users of the service globally. In this regard, the recent litigation likely raises a larger question: to what extent will communications technology be built to facilitate surveillance rather than to facilitate secure communications?
Public debate vs. secretive lawyering
The government asserts that updates to the law are necessary given the evolution of both technology and threats we face as a society. However, changes affecting the balance struck in CALEA should only be made after an open, public debate about how to weigh law enforcement interests in ensuring access to data against the benefits of shielding sensitive communications from the many harms caused by unauthorized access and misuse.
Judge Orenstein reached a similar conclusion in 2016, when he rejected the government’s efforts to force Apple to extract data from an iPhone using the All Writs Act of 1789. In doing so, he wrote:
How best to balance those interests is a matter of critical importance to our society, and the need for an answer becomes more pressing daily, as the tide of technological advance flows ever farther past the boundaries of what seemed possible even a few decades ago. But that debate must happen today, and it must take place among legislators who are equipped to consider the technological and cultural realities of a world their predecessors could not begin to conceive.
This critical debate has not progressed much over the last two years. The government should contribute to the discussion by transparently reporting how often it makes wiretap assistance demands of the type that were reportedly put to Facebook. Any attempt to short circuit this process through a secretive end run to the courts in the name of security concerns should be squarely rejected.