Last month, Sens. Richard Burr and Dianne Feinstein from the Senate Select Committee on Intelligence unveiled a draft of the Compliance with Court Orders Act of 2016 that would require all technology companies — from mobile device manufacturers to application makers — to comply with court orders granting federal officials access to encrypted information. “No one is above the law,” the draft states, adding that tech companies should be able to protect user privacy with strong security while still complying with these legal requirements.
The Compliance with Court Orders Act is the latest development in the continuing battle to protect personal privacy while at the same time maintaining national security. It further brings to light how maintaining that balance presents a particular challenge as companies strive to meet their customers’ expectations regarding user experience and privacy.
One way tech companies try to figure out where this balance between security and privacy lies is through regulations and court rulings. But relying only on laws is problematic, according to John Pescatore, director at the nonprofit cybersecurity training provider SANS Institute.
“Regulations just specify some bare minimum; they don’t define security for anything,” he said at a CompTIA IT professional webinar last month. He added that not only is there no global definition for attaining this security-privacy balance because privacy laws vary by region or by country, but also that regulations and legal precedents can change over time.
Instead, Pescatore advises companies start with three basic principles that can be combined and implemented in various ways:
- Confidentiality, or making sure the right people have access to information
- Integrity, or ensuring the accuracy of the information and that changes to data are tracked
- Availability, or making sure the information in your systems is accessible when it is needed.
These three foundational ingredients should add up to help meet current regulatory requirements, but more importantly satisfy consumer expectations.
“No law came along and told Apple they had to protect things better than Microsoft did. … Those are not laws driving things; those are actually people’s demands for increased security and privacy,” Pescatore said.
Encryption can be an effective tool to enable this increased security and privacy if the aforementioned basic principles have been laid out properly as the foundation, Pescatore said. In the case of passwords, for instance, encryption is useless if users employ easy-to-guess or reusable passwords, or are susceptible to phishing attacks.
“The vast majority of attacks would have been foiled if we used … something as simple as a text message to your phone in addition to a password,” Pescatore said. “Once we’ve gotten to the point where we can at least protect the user’s authentication, that’s where encryption becomes very powerful” by allowing companies to be more flexible about where they store their data.
But despite encryption’s security strengths including only permitting access when explicitly allowed, it’s very easy to implement the tool “badly,” Pescatore added. If keys aren’t managed properly, for example, encryption could potentially prevent or hamper the right person from accessing their data.
Further complicating matters are countries with laws with language similar to the Compliance with Court Order draft that include the government in their definition of the “right person” to access data.
For companies such as Apple and WhatsApp that built their business model on giving their consumers sole control of their own encrypted communications, this puts them at a legal quandary, technology advocates recently told Recode.
Law enforcement has also suggested building backdoors into encrypted systems and data as the answer to this issue, but Pescatore doesn’t think so: He equated backdoors to securely locking a house and then leaving a key under the welcome mat.
“In the digital world, sooner or later, someone is going to find that key under that welcome mat, no matter how well that backdoor was hidden,” he said.
In part two of this blog post, Pescatore discusses how companies can wade through the various security standards to get guidance on developing security policies.