February 19, 2016

Applegate: This is Not Sustainable

The hoopla this week around Apple’s grand stand against the Feds’ demand that the company compromise the dead phone of a dead man (http://www.wsj.com/articles/tim-cooks-dangerous-game-1455745398?mod=e2fb) evokes a deeper and more important concern.

At first blush, this would seem a no-brainer: 

Bad guy terrorist gets offed and leaves behind a pin code-protected phone which might host information important to law enforcement.  Why would the maker of that phone not crack the code to enable the government to access whatever intel it might contain?

Simple answer: Because our government has demonstrated that it cannot be trusted not to leverage this particular “one-off” to abuse the privacy of any and all of us, because, well, because they can.

A sad, sad state of affairs.

It’s no surprise that our government (every government) engages in espionage and surveillance.  And, to some extent, rightfully so, if appropriately controlled (a BIG if, as we have all learned in recent years).  

But, as technology has advanced so rapidly over the last couple of decades, control, reason, judgement and laws have been eclipsed, leading to rampant government abuse – because, again, they can.

Ed Snowden has demonstrated time and again that our government has – perhaps unwittingly (I'm being gracious here) - been overcome by technology run amok.

Lawful intercept, review, storage, etc. have all fallen by the wayside as more and more data is gleaned via more and more arcane methods, all justified by the fear-based culture that our government has nurtured over the better part of the last two decades.

So, is it any surprise that Apple battles back against government demands to crack just this one phone?

No, not at all.

American information and communications technology (ICT) leaders are reeling in the wake of all-things-Snowden – their global sales and brands suffering as trust in their commitment to data integrity has effectively dissolved.

Apple is on the ropes.  Others will be.

In the absence of trust, capitulating to this supposed one-off request might well ruin a company.  And Apple knows this.  Notwithstanding government assurances to the contrary, there is very little reason to believe that the one-off compromise wouldn’t become the norm, or, worse, be used by “bad guys.”

Moreover, governments around the world would almost certainly mimic the U.S. demands, as well as abuse of the output, further shaking everyday individual trust in all things digital.

How did we get here?

Governments have always engaged in what might seem unsavory activities in pursuit of the betterment or protection of society, with at times all-too-ready disregard for the rights and liberties of the governed.  The general population simply didn’t know, or perhaps care.

But, today’s remarkable digital world that we have learned is subject to government abuse also facilitates heretofore unheard of transparency – no matter how much the powers-that-be would prefer certain activities to remain in the shadows, they are increasingly frustrated to manage those shadows.

But, knowing that we now know, they still just can’t help themselves.  And we, post-Snowden, are very challenged to trust them.

And that’s why Cook has made his stand. 

Don’t get me wrong – Cook’s not just all about our privacy, rights, civil liberties, moms and apple (sorry, couldn’t help myself) pies.  I believe that he truly worries about these things, but his bottom line has to be preserving sales, particularly overseas sales.

And, in the wake of all-things-Snowden, overseas folk trust our government less than we might.  

Sadly, in this context, the government’s true intent isn’t even really a factor...although they could – and should - have more carefully crafted their demands in such a fashion so as to not raise the spectre of universal compromise.

Indeed, if the Feds had simply delivered the phone to Apple with the appropriate legal authorization to crack it, perhaps we'd be in a different situation. Demanding that Apple create an entirely new version of its OS that compromises built in protections to just crack this one phone seems, uh, unreasonable, perhaps unbelievable.

Bottom line: If Apple bows to the pressure this time, they may well be effectively bowing out altogether…

This is NOT a sustainable situation.  Government needs to take real steps toward restoring trust, for instance, for starters, publicly reining in defense and intelligence community activities and behaviors - particularly here in the Homeland -  that have utterly abandoned the rule of law.

Government needs to rebuild confidence.  Incessant fear-mongering has been the backbone of two decades of unbridled abuse of our privacy and liberties  - anything and everything has been deemed justifiable, including the revoking of American rights and, yes, lives, to ensure that one or another "they"doesn't somehow prevail at something.

Until and unless trust and confidence are restored, the likes of Cook and Apple have little choice but to stand up to the powers-that-be, unless they are willing to go out of business, which hardly seems a result that would be in our best national - and national security - interest.

October 06, 2015

Safe Harbor, Jurisdiction, Parallel Construction and Pirate Radio

In response (in part) to the Snowden Revelations having undone trust in U.S. companies’ ability to ensure data integrity, the European Court of Justice (ECJ) today invalidated a 15-year-old data privacy pact that allowed U.S. businesses to “legally” transfer EU citizen data across the Atlantic, 

The EU's Charter of Fundamental Rights guarantees the protection of personal data.  In that context, until today, under the so-called “Safe Harbor” agreement, more than 4,000 U.S. companies “self-certified” that they met EU privacy protection laws, thus qualifying them to handle EU data. 

As of today, however, the ECJ rendered Safe Harbor invalid, due to, among other things, America’s global approach to digital surveillance and data collection, as well as the lack of adequate privacy protections in the U.S.

Meanwhile, related, the two-year-old Department of Justice (DOJ) case against Microsoft for refusing to surrender an individual’s data stored on a server at a Microsoft center in Ireland continues to wind its way through the U.S. legal system, with the Supreme Court the likely ultimate arbiter.

At issue: The personal emails of an individual suspected by U.S. authorities in a narcotics case. 

DOJ contends that emails should be treated as the business records of the company hosting them and that a search warrant should compel access to them no matter where they are stored.  

Microsoft argues that the emails are the customers’ personal documents and a U.S. warrant does not carry the authority needed in Ireland - or any foreign jurisdiction - to compel the company to surrender the data.

The Irish government, for its part, maintains that data should only be disclosed on request to the Irish government pursuant to the long standing mutual legal assistance treaty between the U.S. and Ireland.

The case would seem to be a pretty clear no-win all around:

If Microsoft prevails, the global trend towards data localization requirements will almost certainly be accelerated, at the very least undermining the efficiencies of the Cloud, at the very worst Balkanizing the Internet altogether – neither outcome being in anyone’s best interests.

If DOJ carries the day, what little trust may linger in U.S. information service providers will vanish, severely impacting their overseas business prospects and, at the same time, hindering U.S. authorities engaged in legitimate surveillance and data gathering, all the while further setting the precedent for governments worldwide to demand access to data stored in the U.S.

But it’s worse than that.

However the case may ultimately be resolved, uncertainty will reign, piled on top of the chaos echoing in the wake of today’s ECJ Safe Harbor decision, which has left thousands of companies scrambling to sustain businesses and striving for “compliance” with any number of regimes.

Worse yet, governments will not pause their surveillance and data collection.  Indeed, two years of Snowden Revelations might suggest (to some) that the U.S. never really gave a fig about privacy anyway (other governments have yet to be as effectively outed, but are equally suspect).

In that context, whichever way the Microsoft case goes, the U.S. authorities who brought the case will be yet more hindered in the future in terms of “legal” access to the information they desire.  So, they will do what they have already been doing: They will access the data they want in whatever manner they deem necessary.

Meanwhile, in the law enforcement realm, such illicit gathering of information may lead to the institutionalization of the process of “parallel construction,” a method by which the U.S. “exclusionary rule” which protects those accused can be circumvented to allow illegally gathered evidence to be admissible in court, severely undermining the rule of law.

(Parallel construction is already – reportedly - a popular DEA strategy: link)

At the same time, business and criminal enterprises alike may find themselves considering “Pirate Radio”-like data center services, with server banks housed “offshore” (literally or figuratively) in terms of being subject to no-one’s law enforcement or other jurisdiction, potentially threatening the rule of law (but also possibly fostering unique new business opportunities).

Clearly, while concerns related to the confluent conundrums of the Microsoft case and the Safe Harbor collapse are beyond multi-fold, the complexity of the matters involved dictate that there will also be no easy solutions.

So, what next?

Fitful and frustrating global conversations about very complex concepts - ranging from the definition of jurisdiction in a transnational world, to the harmonization of data protection and data compulsion policies, to balancing personal privacy and national security, and beyond.

The goal?

De-conflicting inconsistent data-related (and other) laws and rules across the globe to allow for fair and open and trusted market access to facilitate continued global growth and prosperity in what is an increasingly-digital and borderless world.

How hard can that be?