The fear of enforcement agencies that they may not be able to access consumer data may still be far-fetched.
As consumer privacy becomes a major issue, more and more consumer technology companies are trying to encrypt user data. Law enforcement agencies complain that this is leading to a situation where they are completely unable to intercept user communications for national security purpose. Going Dark, as this phenomenon has been called, has become a major debate.
A study by the Berkman Center for Internet & Society at Harvard University—results of which were made public recently—has found that end-to-end encryption and other technological architectures for obscuring user data are unlikely to be adopted ubiquitously by companies, as it will negatively impact their business.
So, in effect, the fears may be unfounded.
Though the study concerns itself with the debate in the American context, many of the issues raised are same or similar across the world. In India, for example, though law enforcement agencies have much more power to intervene, lack of availability of data with the service provider—in case of end-to-end encryption—will still make things difficult for them.
“The US intelligence and law enforcement communities view this trend with varying degrees of alarm, alleging that their interception capabilities are going dark,” the report says. “Government officials are worried that without access to communications, they may not be able to prevent and investigate crimes such as terrorist attacks,” it adds.
The agencies are of the view that the companies be forced by law to maintain access to user communication and data and provide access to law enforcement on demand, following the legal process. Their contention is that with encryption, companies claim they themselves do not have access to that data. So agencies cannot get anything.
“However, the private sector has resisted. Critics fear that architectures geared to guarantee such access would compromise the security and privacy of users around the world, while also hurting the economic viability of U.S. companies,” says the report introducing the debate.
The study concluded that encryption actually runs counter to the business interest of many companies. It observes that for close to one and half decades, B2C online companies have relied on ad-supported model, which is increasingly shifting towards data-drive advertising, which takes into account demographic and behavioral data to serve targeted ads. This is not possible without having access to unencrypted user data. They typically ensure privacy by guarding that data so that it does not go beyond the boundaries of their companies.
It also notes that end-to-end encryption is impractical for companies who offer services that requires access to plaintext data. A third reason is end-to-end encryption added another level of complexity which often results negatively affecting user experience. No B2C company would like to do that. That is the reason why Facebook and Google (Android) not implemented encryption till date.
The study’s finding is important because it concludes that going dark could be a remote possibility because of business interests of companies—and not only because of demand by law enforcement agencies.
Here are some of the other findings from the study
- Software ecosystems tend to be fragmented. In order for encryption to become both widespread and comprehensive, far more coordination and standardization than currently exists would be required.
- Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.
- Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.