Lawyers and lawmakers have a shaky grasp of encryption. The danger is that as the technology evolves, lawyers' understanding will fall even further behind, argues Jeremy Phillips.
Considering how important encryption is, the legal community as a whole knows little about it and understands it still less. Those involved in e-commerce are familiar with encryption as a secure means of enabling account details and payment particulars to be communicated over the publicly accessible internet.
Broadcasters appreciate its use as a means of depriving non-payers of the right to receive subscription-only transmissions. Makers of games consoles and software regard encryption as a convenient means of dividing markets and preventing even lawful use of their products in geographically disfavoured zones, while producers of bespoke and low-volume computer programs have seen it as a means of fending off both unwanted users and over-curious competitors.
Each of those perspectives may be valid, but do we need a wider view? Possibly because of the pervasive nature of encryption, we lose sight of its characteristics. Is it a way of implementing a data policy or is it a substitute for having one? Does it exist as a technical solution to a technical problem? Is it perhaps the handmaid of legal efficacy? Or is it a socio-political tool for the governance and control of an increasingly sophisticated electorate?
In truth it is all these things. Because of its many roles and uses, encryption has the characteristics of the chameleon.
Lack of clarity
From a lawyer's point of view, lack of clarity is frustrating. There is no all-embracing legal meaning of the term 'encryption', or of its counterpart, decryption. In some circumstances, failure to encrypt may be regarded as negligent or reckless; in other circumstances making the effort and meeting the expense of encryption is no guarantee that liability will be avoided.
Its use may enable a company to protect its business legitimately, or may raise issues of market division and unfair trading. And where official secrecy is at stake, issues such as national security, which craves secrecy — and the public interest, which so often abhors it — tug encryption in opposite directions.
As a commodity, encryption is also unfamiliar to most of us. Who owns encryption? No-one, of course, since it is merely a concept and, as such, not susceptible to ownership. Yet patents are available for specific means of encryption, while both software and algorithms may enjoy copyright protection as well.
Separate rights may also govern the content that is subject to encryption, whether in the form of traditional copyright for media packages such as films, games and broadcasts of sports events or in the form of data-protection rights for sensitive personal information and trade secrecy for industrially and commercially valuable know-how.
All this means that, at any point at which encrypted information is hacked into, leaked, lost completely or abused, that point marks the intersection of a variety of public and private rights and duties. There is no convenient way of saying which interest trumps the others.
Losing sight of the chameleon
When deciding how to respond to any encryption-related legal problem, civil and criminal courts are generally bound by imperatives that stem from bodies of jurisprudence that were evolved before today's technology-driven society emerged.
These imperatives include the rules for interpreting statutes — narrowly in criminal proceedings, more widely in civil actions — and second-guessing the intentions behind business deals, the achievement of justice in the individual case and the need for proportionality in the balancing of competing interests.
The chameleon adapts its colour to its surroundings and encryption adapts its utility in much the same way. Where the deployment of encryption, and the nature of its technical parameters, run sufficiently far ahead of the understanding of legislators and legal practitioners, the law may lose sight of this chameleon altogether. Perhaps now is the time to get more firmly to grips with it.
Jeremy Phillips, intellectual property consultant to law firm Olswang and professorial fellow at the Queen Mary Intellectual Property Research Institute, is a research director at the Intellectual Property Institute. He is a member of the IPKat and Datonomy blog teams.
Talkback
This article is an interesting view, considering the backwards policies of countries like Britain, Russia, and to some extent the US. The governments and politicians and "security" forces of these countries are lazy, ignorant, venal, and in some cases just plain stupid when it comes to the use of encryption technology by and for their own citizens. They choose to treat their citizens as enemies, denying them the simplest protections of privacy and security by criminalizing encryption for the population. They claim they need to do this because of the need to keep encryption and secrecy technology out of the hands of evil doers -- criminals, terrorists, pedophiles, etc. -- who will use crypto technology to further their evil enterprises.
Well, duh, yeah... evil doers use whatever they can to further their goals, including guns, knives, bombs, phones, crypto, cars, banks, the stock markets, and computer disks. Are you going to make all of those illegal too?
However, it's even worse. By criminalizing crypto technology for ordinary citizens, by failing to provide the means for them to protect their data and information and privacy, you make it so much easier for the bad guys to prey on the rest of us. And the bad guys have always been able to get and use the very best crypto in the world -- they don't need the basic crypto the rest of us would use, if you hadn't made it illegal for us to use even that.
"When crypto is outlawed, only outlaws will have crypto."
And when I say the bad guys, I'm talking about the Chinese military, the Russian mafia, the cyber jihadists, and the 15 year-old hacker who lives down the street. Without even a modicum of encryption, which you deny us, these evil forces will wreak ever increasing havoc on our citizens and our societies. Look... in China alone, there are over 100 institutes doing "computer security" research, and by research I mean learning how to do cyber warfare and cyber invasion. And yet you continue to deny us the most basic protections for ourselves and our families.
Security and crypto technology must become pervasive throughout our societies, used by young and old alike, for the protection of our private lives and our public social interactions.
Think of it this way. What you're doing now is the equivalent of outlawing locks on doors. While it is true that the police would find it much easier to enter the lairs of criminals and terrorists (if they could find them), it also means any of the bad guys could easily walk into our homes, at any time, and do whatever they want. And all because the "security" forces are too lazy and stupid and want an easy walk-in into any house. Of course the smart criminals would stop using houses (or any buildings) while the rest of us would still be stuck in lockless insecure homes.
Time all of us got to grips with encryption. Hell, time all of us got some encryption.
Action item - if you think crypto should only be used by government and business, and that it should be illegal for everybody else, here's what you should do: stop being stupid.