Jeff Blatt, from Tilleke & Gibbins International, is a legal professional who started his career representing some of the biggest names in Silicon Valley. He started as a tech lawyer and then moved to Asia to help launch and build a satellite TV service in Asia. He’s stayed in Asia but is still part of a US law enforcement agency, on a part time basis, with full-time police officer authority. Having worked on both sides of the privacy equation, he characterises himself as a “privacy evangelist” who argues security can’t always win.
“Given where we are today, with respect to privacy, this is not an old school ‘I’ve got a search warrant’ and here are papers in my desk kind of thing,” he said during the RSA Conference held in Singapore this week.
Blatt says there needs to be a digital safe space. He believes police can still do their jobs with respect to gathering intelligence without denying all of us the ability to “go dark in any fashion”. But government’s such as the “Five Eyes” group are pursuing a “nowhere to hide” strategy.
He says the governments have a three-pronged approach to achieving this strategy.
“The first prong relates to the governments wanting access to data in clouds no matter where those clouds are located anywhere on the planet regardless of the local laws where that data lies,” he said.
“The second prong is government’s desire to get data from any digital device it gets its hands on”.
“The third prong relates to the government’s use of malware to effectively hack into devices anywhere on the planet in order to satisfy the requirements of a search warrant regardless of where that data is located”.
This strategy is being born out in a number of recent criminal investigations said Blatt. The recent Playpen and Love Zone cases in the US and Australia respectively highlight this new world law enforcement finds itself in.
In the Playpen case, the FBI learned the public IP address of a Tor Hidden Service site called “Playpen” that was hosting child pornography. As the server was in the United States the FBI obtained a search warrant and seized the server hosting the site. They then operated the server for another two weeks duirng which they implanted malware into images.
That malware identified a number of people involved in the child exploitation ring in several countries who were then prosecuted.
Australian police executed a similar strategy when they took down Love Zone, keeing it running for several weeks in order to catch members.
In those cases, users of those sites in countries outside the jurisdictions of the law enforcement agencies had their computers effectively searched, leading to prosecutions in other countries as evidence gathered by one policing agency is shared to another. This could be considered a warrantless, and therefore illegal, search.
While no-one could argue that the outcome of the investigations – taking down the networks and prosecuting the ring leaders and members – was wrong, it opens a number of important legal considerations.
The battles are being fought
Blatt also mentioned another case concerning Microsoft that could have massive impact on cloud businesses and cloud service models.
“What happened in the US vs Microsoft case is the US obtained a search warrant in the Federal Court in New York directed to Microsoft that said there is an individual who was a subscriber of Hotmail in Ireland. His address book is on United States servers but his email is in Ireland. Microsoft provided the FBI with the address book but not the emails”.
Under Irish law, Microsoft felt they couldn’t do this and suggested the FBI pursue the data through treaty and other arrangements in Ireland. While it was technically easy to do – Microsoft admitted this – they did not want to set a precedent where warrants issued in the US could be applied internationally.
The case went to appeal where a judge ruled in Microsoft’s favour. But the case is now going to the US Supreme Case.
A similar case is also being pursued with Google where a magistrate ruled that Google hold provide access to email. However, Google countered that they did not actually know precisely where the data was stored as it was likely the data was actually scattered across many servers in many jurisdictions because their system is designed to “load balance and optimise performance”, said Blatt.
But the magistrate sided with law enforcement saying that as a US company subject to US law they should provide the data, disagreeing with the judge in Microsoft’s appeal.
Push it to the users
So, how can this be mitigated? Blatt thinks there is a way through this.
“One way to try to mitigate a risk is to make sure the users hold the encryption keys, to make sure the problem is pushed from a service provider to the user, making the government go to you, the owner of those emails”.
While law enforcement might not like that, as it effectively rules out the ability to secretly investigate someone, the objective pushes the problem down. It’s dissimilar to an intelligence action, which is something policing seems to be moving further towards.
What’s clear is that policing and intelligence agencies are pursuing a “nowhere to hide” strategy with the support of governments. We are seeing it in Australia with the metadata retention laws and moves by the Turnbull government to “work with” technology companies to give access to encrypted data.
Recent cases such as Apple in San Bernardino, and Google and Microsoft’s cases in the United States paint a stark picture. We are seeing private companies stand in court and look for ways to balance the needs to protect the legal rights of private citizens while satisfying the needs of law enforcement.
How this will all pan out is anyone’s guess. But it does seem there are ways forward.
Anthony Caruana attended RSA Conference in Singapore as a guest of RSA.