Constellation Insights

Google is getting a lot of attention lately over the $2.7 billion fine it received from the European Union over antitrust practices related to its search engine. The controversy stands to overshadow the company's recent effort to launch a policy debate around an important topic: The governance of cross-border law enforcement requests for information.

SVP and general counsel Kent Walker made the case in a speech last week to the Heritage Foundation, an influential Washington, D.C. think tank:

For as long as we’ve had legal systems, prosecutors and police have needed to gather evidence. ... With the advent of the post office, police got warrants to search letters and packages. With the arrival of telephones, police served subpoenas for the call logs of suspects. ... But the laws that govern evidence-gathering on the internet were written before the Information Revolution, and are now both hindering the flow of information to law enforcement and jeopardizing user privacy as a result.

These rules are due for a fundamental realignment in light of the rapid growth of technology that relies on the cloud, the very real security threats that face people and communities, and the expectations of privacy that internet users have in their communications.

Today, we’re proposing a new framework that allows countries that commit to baseline privacy, human rights, and due process principles to gather evidence more quickly and efficiently. We believe these reforms would not only help law enforcement conduct more effective investigations but also encourage countries to improve and align on privacy and due process standards. Further, reducing the amount of time countries have to wait to gather evidence means would reduce the pressure to pursue more problematic ways of trying to gather data.

Under the U.S. Electronic Communications Privacy Act, for the most part foreign law enforcement organizations are reliant on "diplomatic mechanisms" such as Mutual Legal Assistance Treaties when they want information held by a U.S. company. That process is far too bureaucratic and slow for most criminal proceedings, with an average wait of 10 months, Walker said.

Meanwhile, those same delays are prompting some countries to simply assert "that their own laws apply to companies and individuals outside of their borders." This places globalized U.S. companies in an "untenable situation," since they're at risk of violating U.S. law or that of the nation making the request, Walker added.

Google is proposing that the ECPA be updated to reflect that "law enforcement requests for digital evidence should be based on the location and nationality of users, not the location of data," as one measure.

A second would be for the U.S. and foreign nations that meet those "baseline" privacy, human rights and due process standards—which Google does not specifically define—to ink new pacts that would provide an alterative to MLATs.

Analysis: Unpacking Google's proposal

In principle, Google's proposal is most welcome, says Constellation Research VP and principal analyst Steve Wilson. "Clearly, something needs to be done to lubricate the necessary flow of information between cooperating law enforcement agencies," he says. "Equally, this sort of international challenge has been overcome many times in the past with extradition treaties, international shipping and aviation laws, as well as telecommunications and satellite regulations."

But the devil is in the details, and it's difficult to say how Google's view of the world and its problems align with most nations, he adds: "We live in awkward times where a great many developing nations are on edge, keen to assert their sovereignty in the global economy. A fresh complexity that didn't affect past treaty negotiations is that we have digital corporations now, with skin in the game, that are bigger than many countries."

Encryption: The elephant in the room

You can't have a discussion about law enforcement information access, whether domestic or international, without bringing up the difficult question of encryption. (Although in his speech, Google's Walker did not.)
 
Apple famously fought the FBI over access to an alleged terrorist's encrypted iPhone, arguing that providing the backdoor access desired by the Bureau would be able to unlock any iPhone, with no guarantee that its use could be limited to the device in question. (Ultimately, the FBI got outside help to crack the phone.)


Wilson recalls the "crypto-wars" policy battle of the 1990s, which ended in a consensus that while criminals can use and benefit from encryption, it was also necessary for community security and would in reality always be available in roll-your-own form.

"The arguments today revolve around whether encryption is so powerful that it gives terrorists and organized crime a crucial edge over law enforcement," he says.

"Police and politicians wish for an exceptional access mechanism that would let them undo encrypted messages," Wilson adds. The trouble with these debates is that lay people have come to view encryption like mechanical locks, which have master keys or other internal mechanisms known only to locksmiths, he says.
 
There's a major problem with that way of thinking. "Encryption backdoors create fundamental weaknesses that threaten all legitimate uses of the algorithms, for reasons that are difficult to present to non-specialists," Wilson says. "You hear politicians argue that all those clever folks out in Silicon Valley must surely be able to come up with a solution. It's just not that easy."
 
While the cryptowars have flamed up again, age-old issues remain the same, Wilson says:
 
  • Intercepts and decryption are just one tool of many used by law enforcement.
  • Messages don't stay encrypted forever and police can find many points in the communications line at which to intercept criminal activity.
  • Tampering with commercial cryptography will drive the most dedicated—and thereby most dangerous—criminals to build their own.
  • Criminal can also resort to steganography, the practice of hiding secret messages in normal files such as graphics. Stenganography is much harder to detect and decode.
Officials from Australia, Canada, New Zealand, the United Kingdom and the U.S.—known as the "Five Eyes" for their historical willingness to share intelligence—are meeting in Ottowa this week to discuss encryption and related matters. It's an opportunity for substantive advancement, but also for wrongheaded ideas to take stronger hold.
 
"I agree this is a dilemma and I sympathise with law enforcement," Wilson says. "Yet I hope cool heads prevail."
 
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.
 
 

Business Research Themes

Tech Optimization, Digital Safety, Privacy, and Cybersecurity

Roles

Chief Information Officer, Chief Executive Officer, Chief Customer Officer, Chief Marketing Officer