Date: October 26 (Thu.) 2021, 14:00-16:00
- Sean Lee, Head of President Office and Head of Information Security Division, SinoPac Holdings
- 林俊宏, Managing Director, Judicial Reform Foundation
- Celeste Yang, corporate counsel for Corporate, External, and Legal Affairs, Microsoft Taiwan.
Human’s wishes and methods to encrypt messages are not new. Throughout history, different technologies have been deployed to encrypt messages.
Thanks to the advancement of computing power, encryption technologies have become more and more complicated. There are four main elements in encryption: plaintext, algorithm, keys, and ciphertext. Algorithms are used to produce encryption and decryption keys, which are then used to encrypt plaintext into ciphertext or decrypt ciphertext to plaintext.
Current encryption technologies are reasonably unbreakable. A 128-bit key would require billions to tens of billions of years of high-performance computing power to decrypt.
The derivative technology, key escrow, takes one more step to ensure security by escrowing the key with a third party. The key escrow technologies are utilized for mainly two purposes. One is criminal investigations; law enforcement gets the keys from the escrow provider without having to reveal the identities of the parties using the keys. The other is keeping a copy in case of losing the keys.
One of the common topics people raise when discussing encryption, especially the escrow aspect of it, is privacy. The moderator thought the issue of privacy could be approached from 3 perspectives. First of all, if the state decrypts civilian communications relying on access to the key escrow third-party provider, it could be deemed as violating citizens’ privacy.
Secondly, under the circumstances where parties are required by law to hand the key to a third-party escrow provider, acquiring the key from the escrow provider essentially equals having the alleged suspect confess about his own crime. This will violate the principle of ‘nemo tenetur se ipsum accusare’ (right against self-incrimination).
Finally, encryption keys are related to free speech. People communicate in various ways. One of them is through program languages. Mandating the keys used in encrypting private communication to be stored at a third party, in essence, is conflicting with the idea of free speech. This is also why key escrow is currently a voluntary act in the United States. Key escrow, if mandatory by law, can be a way of regulating encryption. Is that a good example? How should we regulate encryption? The moderator posed three questions to the panelists:
- What are the benefits of law enforcement forbidding businesses to encrypt their data or requiring them to provide encryption keys for criminal investigating purposes? What are the privacy impacts? Any real-life examples? Are there alternatives or appropriate overseeing mechanisms?
- To protect customers’ privacy, technical companies could refuse to cooperate with law enforcement and turn in the. What are your thoughts on this?
- Is it possible for technical companies and the government to work together and develop a solution that protects privacy while enabling law enforcement?
Answer to question 1:
From cases locally and internationally, the only thing we can say is that law enforcement faces severe challenges decrypting encrypted devices. The Grand Chamber of the European Court of Human Rights’ ruling this May that upheld a 2018 ruling that the British mass surveillance and intelligence-gathering practices were a breach of human rights laws could also encourage the development of encryption technologies.
Last year, the news broke out that some legislators in Taiwan were receiving brides. Law enforcement has required the message platform LINE to cooperate and provide data against the allegation that the legislators used LINE to exchange messages regarding bribery. However, LINE refused to cooperate and didn’t provide any data. The case was solved in the end using the traditional way; the prosecutor confiscated the suspect’s computer and accessed the messages from the hard drive. This was another example of how encryption can hinder law enforcement’s work.
The Taiwanese Technology Investigation Act, proposed in September 2020, would increase authorities’ ability to monitor private communications stored on a user’s electronic device. Considering that the proposal has raised many concerns and remained controversial, it is highly unlikely the proposed act will become law soon.
As society and our daily lives continue to digitalize, a lot of criminal conducts, evidence, and traces are stored in digital devices. It will help law enforcement a lot if they are authorized to decrypt and access the data. For the technical companies, however, they also have plenty of good reasons not to hand out decryption keys upon request. It can be because they have promised to protect their customers’ privacy or that they want to prevent hackings and data breaches, stay away from state abuse of power, and are wary of the consequences of mishandling by employees.
Access to keys could tremendously benefit international cooperation in fighting crimes. Lee suggested that future proposals that aim to regulate encryption technologies should make a clear distinction between criminal investigation and intelligence collection. He imagines a standardized procedure that entails triage, court orders, third-party watchdog, and international consensus. He also believes that it is the business’ social responsibility to legally assist the state authority to protect its citizens. According to Lee, technical companies should charter a standing committee. The committee would be responsible for providing ‘one-time access or minimum necessary information to the law enforcement.
Answer to question 2:
Law enforcement should only request ‘one-time access’ to attain data. If it is not appropriate for companies to provide keys, there could be installed a mechanism overseen by a third party to provide data for law enforcement’s needs. As long as current technology is not able to access encrypted data used in crimes, the need to attain decryption keys remains strong and relevant.
Answer to question 3： Both the government and businesses should refrain from making pre-emptive assumptions about the other party. Law enforcement should have preliminary understandings of data and technologies, and the technical companies should also appreciate the difficulties faced by the government. Take the United States for example: companies will take down hate speech on their own. Additionally, the government can examine individual cases through existing committees. Technical companies also have contracts with the clients, forbidding the latter to conduct activities that harm national security or violate social orders via their platforms. It is not acceptable for law enforcement to request backdoor from the companies. There should be a mechanism in place for the government and technical companies to communicate, and the metrics for individual case examinations should also be clear.
Answer to question 1:
The key escrow model is established on people’s trust in the government. From current circumstances, it is still difficult for the people to trust that government will restrict their use of the keys only in criminal investigations. China, for example, is already using data gathered from mass surveillance to govern its people. In order to ease the concerns, we need stricter laws to regulate the government’s legitimate use of civilian data.
There are plenty of other approaches the government can employ with law enforcement in addition to key escrow. Key escrow is only emphasized because it is the easier and more convenient way. The risks of escrow providers becoming targets of security threats are extremely high, and that should be a prominent concern for the government. We also need to clarify the escrow providers’ responsibilities and obligations.
There is still a lot to be discussed and considered. For example, there should be a third-party overseeing mechanism to review the technical approaches the government takes to access encrypted data. The concerns of state government accessing data beyond its stated purposes should also be addressed. In the case where the government uses invasive technical means to access data, collateral damage should be assessed, and compensation/recovery methods should be considered.
Most courts do not equip enough professional knowledge when it comes to these issues. One possible solution is to seek consultation/assistance from professional third parties. Technology investigation involves an abundant amount of data; the relevant legitimate requirements and privacy protection rules should increase and clarify accordingly. It would be naïve to rely on the state’s benignity when it comes to technology investigation and data governance. We have to ask a lot of questions: how does law enforcement determine the possibility of alleged corpora delicti? Where should we set the threshold of submitting data requests? How to ensure accountability? Is a third-party independent supervising committee necessary?
Answer to question 2：
Answer to question 3：
The ultimate goal of any business is to attract more consumers. When consumers find out that companies are handing their data to the government, they might decide to leave. This is indeed a dilemma for the companies. People want a regulation clearly defines what can and can not be done with their data, but in reality, the legislative process is not that easy. This process will need multistakeholder participation.
Answer to question 1：
Microsoft has been aware of the significance of data protection as early as 2013. For Microsoft, they want to support technology advancement while being cooperative with the government, and they also value protecting customer data. The best available technology now to protect data is encryption, and that is why Microsoft is using it.
According to GDPR, Microsoft is a data processer, and its ability to process the data shall be strictly limited within its stated purposes. In the case where law enforcement requests decryption keys from Microsoft, the company would relay the request to the data owner. If the data owner forgets the password to access their data, Microsoft will provide ways to retain access. Under extraordinary circumstances where the authority requests data for investigation according to specific laws, Microsoft would be cooperative after vetting the request complies with the law. Law enforcement requesting a backdoor is a massive problem for the business. Implementing backdoors equals revealing the system’s vulnerabilities, which can increase the risks of inviting attacks that exploit such vulnerabilities. Both Taiwan’s Cyber Security Management Act and GDPR recommend protecting data with encryption technologies. Microsoft hopes government appoints an independent judicial authority that supervises the implementation and fairness of relevant regulations. The independent judicial authority should take the protection of free speech in the International Bill of Human Rights into account, and any conflict between the regulation and Bill should provide a clear rationale outlining the legitimate purposes and applicability.
Answer to question 2：
Technical companies deploy encryption in compliance with the law and its contract. As to whether tech companies should regulate content on its platform, Microsoft, as a technical service provider and not platform service provider, has no authority to access customer data and would not comment on relevant measures. The Taiwanese government does not authorize businesses to survey criminal behavior (child pornography is the only exception, which Microsoft address using the Photo DNA technology). As suggested by other panelists, there are other ways to investigate crimes, and Microsoft is willing to assist whenever possible and legal.
Answer to question 3：
Microsoft stands ready to assist the government in fighting crimes and has established cooperative relations with local and regional law enforcement, including Taiwan Criminal Investigation Bureau (CIB), FBI, and Europol, to name a few. Microsoft expects a clear legal framework from the government when establishing such cooperation and stresses that any request to access data must comply with the applicable jurisdiction and law.