Going over the top
Credit: iStock.com/bombuscreative

Going over the top

Over-the-top applications like WhatsApp have replaced telecoms services as the world's preferred method of electronic communication. As more and more of these services offer end-to-end encryption, governments are having to rethink how they get hold of information that was once easily accessible.

Worldwide, lawmakers are facing the same problem. For years, most law enforcement agencies have had legal access to information provided to them by the telecoms sector; to get a licence to operate, telcos have had to build government access into their systems.

But now, billions communicate through over-the-top services like WhatsApp. These services present two challenges for lawmakers: they are generally not operated by traditional telcos; and they are end-to-end encrypted.

In end-to-end encryption, only senders and receivers can access messages. Even if they want to, operators simply cannot access the information to be able to pass it on.

The battle between providers of these services and law enforcement has played out in several countries: Brazil’s Supreme Federal Court is currently reviewing the constitutionality of a decision to ban WhatsApp, while Australia has introduced a controversial law that will force tech companies to give law enforcement agencies access to their IT systems and decrypt data.

In the US, too, a debate which has raged since a highly publicised fight between Apple and law enforcement agencies in the wake of the San Bernadino terrorist attacks recently flared up again after a US federal judge refused to release information relating to a reported government attempt to access Facebook Messenger encrypted voice data.

The Brazilian case

“Brazil has become quite notorious,” says Ronaldo Lemos, a partner at Pereira Neto | Macedo, as he describes the implications of a court’s decision to block access to WhatsApp after the platform declined to hand over information. “In my view, the decision was completely unconstitutional and illegal,” says Lemos. “WhatsApp is used by more than 100 million people in Brazil. There’s also a jurisdiction debate – the order was issued in state courts, but WhatsApp was stopped in the whole country.”

The decision has led to a review, in the Supreme Federal Court, of the constitutionality of suspending the service for the whole country. WhatsApp has been reinstated while judges review the case, but the outcome could have profound effects, says Lemos. If the court rules the original decision to be unconstitutional, Congress will have a hard time passing regulation that gives law enforcement greater interception powers, he says.

Elinor Cotait, a partner at Mundie Advogados in São Paulo, believes that despite rumours that the WhatsApp case has moved up the court’s agenda, a final decision might not be reached this year.

More pressing, she says, is an attempt by Brazil’s justice minister Sergio Moro to make several legislative changes, including to part of the country’s interception law. Moro’s aim is to force over-the-top providers to build systems that allow courts and the police to intercept communications made through messaging apps, Cotait says.

Those rules were originally designed for telcos, but the newer Internet Law contains a provision allowing judges to request the content of communications stored on servers. Services like WhatsApp, however, are not obliged to store content data on servers.

In the case that eventually led to the review, WhatsApp told the court that although they store some information, it is encrypted. Without a backdoor and without the means to decrypt, the company effectively could not access the information in order to pass it onto the court, it argued.

These developments, combined with other attempts at creating interception rules through criminal justice reforms, mean that companies operating in Brazil could reasonably anticipate a step-change in government data interception in the near future.

Down under, up ahead

In Australia, that’s already happened. The country’s Assistance and Access Act, which parliament passed in August last year, introduces a number of highly controversial obligations. For instance, it has created a tiered system of requirements for obtaining assistance, which start at “technical assistance requests” – ways companies can help authorities access systems or information on a voluntary basis – and end at “technical capability notices”, which can require an organisation to build a new capability that would assist law enforcement or national security.

Industry is concerned that the requirement to build in these new capabilities could allow for “backdoor” access into their systems, says Patrick Fair, a partner at Baker McKenzie in Sydney. The government has tried to dissuade critics that this is the case, citing a provision that stops the authorities from forcing companies to create “systemic weaknesses” or “systemic vulnerabilities”, but Fair says that the wording of the law means that organisations could still be forced to create a backdoor as long as it applies only to an individual user.

For Fair, the technical notice requirements are not the only noteworthy part of the law. Like many other jurisdictions, Australia’s historic interception regime only concerned telecoms companies. The Assistance and Access Act has changed that, with the creation of a “designated communications providers” category, which includes over-the-top providers.

Not only that, says Fair, the wider scope expressly includes component manufacturers, software manufacturers and anyone updating or supporting software in Australia, while extraterritoriality rules also mean that it could affect a website operator with only one customer in Australia. The rules, he says, are “extremely aggressive”.

And the US?

Unlike the Australian encryption law, authorities in the US have only general legal tools to seek access to encrypted data, says Trisha Anderson, a partner at Covington & Burling in Washington, DC.

Some traditional US investigative tools, issued through courts and codified in law enforcement procedures, contain general requirements for private parties to provide "technical assistance” to the government, Anderson says. Those obligations require companies to help authorities facilitate access to data.

In addition, the government has in the past relied on common law writs to seek the assistance of private parties in accessing data. In the absence of specific decryption requirements in US law, it’s likely that these are the “legal footholds” that the US government would rely on if it were to try to force a company to decrypt customer data. In the absence of legislation, the only way for the government to seek decryption would be through litigation. “There is a question about whether there will be specific encryption legislation in the US,” Anderson says. “But I think most people see that as unlikely anytime soon and that we won’t see anything like the Australian bill.”

This raises some problems, Anderson says. “Litigation as a general matter is not the ideal place for the resolution of a nuanced policy debate. The courts are not the kinds of arbiters well-suited to making that kind of national policy, but it’s such a difficult issue that it’s hard to be optimistic about this being solved by legislation any time soon.”

Robert Litt, former general counsel for the Director of National Intelligence and now of counsel at Morrison Foerster in Washington, DC, says that the government does not think encryption should stand in its way. “The government’s position is that when it has independent legal authority to obtain the contents of communications or documents – either a valid wiretapping warrant, a search warrant, or some other authority – the fact that the information is encrypted should not block the government’s ability to obtain that to which it is lawfully entitled,” Litt says.  

Finding a middle ground

For many observers, this policy debate presents a serious challenge. The competing needs of law enforcement and citizens’ privacy means that a solution that satisfies all parties seems so difficult as to be nearly impossible.

Officials from the UK’s National Cyber Security Centre and the Government Communications Headquarters last year suggested another way that they believe could square that circle – through the use of so called “virtual crocodile clips”.

Service providers, they said, could “silently add a law enforcement participant to a group chat or call”, which would allow authorities to listen in in much the same way as they have done for decades with traditional telecoms services, without breaking encryption. They suggest doing this with the usual checks and balances from independent judges and authorities, meaning that the government would not be given any power it shouldn’t have.

But, says Covington’s Anderson, this proposal would be carried out under the terms of the UK’s Investigatory Powers Act – the same law that is widely seen as the main barrier to the UK achieving an adequacy decision from the EU after Brexit.

The solution that many lawyers suggest is that authorities make better use of metadata. Many jurisdictions have a mandatory retention requirement for this type of data, which provides information like IP addresses, locations and times of communication, rather than the actual content of the communications. As Sydney-based Fair notes, metadata can be “very revealing about people and their lives”.

Access to metadata provides authorities with an “extremely powerful tool for investigations”, says Lemos. Adding access to content data as well, he believes, is “too much”, and would disrupt the delicate balance between the government’s needs and individual rights.

Authorities are likely to see that differently, says Anderson. The government would argue that content is king, she says. “It can tell you where and when a terrorist is going to commit an attack, for instance. Metadata can be very revealing, but the government would say that there simply is no substitute for content,” she says.

At the same time, Anderson notes that there have been challenges over the collection of certain non-content data. The Carpenter decision in the Supreme Court expanded the requirements for the collection of metadata – a decision which “reflects the general trend in courts to enhance privacy protections”, Anderson says. That may lead the government to argue that it is becoming more difficult to collect even non-content data, and therefore that access to encrypted messages is more important than ever.

For Morrison Foerster’s Litt, one question remains unanswered. Computer scientists argue that government access will compromise the strength of encryption, but the “relevant question”, he says, is “whether that risk can be minimised so that it is outweighed by the social benefit of lawful government access, which is the way risk is usually evaluated”.

It’s unlikely that these debates will resolve themselves any time soon. But as Fair notes, some aspects of the Australian rules – which may be seen as a template for other jurisdictions – mean that companies could be forced not only to hand data over, but to weaken their own systems.

As well as affecting individual privacy rights, he says, the possibility remains that overzealous governments may end up eroding the security they seek to enhance.