One of the most profoundly disruptive developments occurring in the cyber security arena today is the headlong rush by a set of parties to ubiquitously implement extreme End-to-End (e2e) encryption for communication networks using essentially unbreakable encryption technology. A notable example is a new version of Transport Layer Security (TLS) known as version 1.3. The activity ensues largely in a single venue — the informal entity known as the Internet Engineering Task Force (IETF), where the proponents cite stolen highly classified documents as the basis for their efforts.
The generally understood objective by its zealous leaders is to cause everyone except the end parties of the communications services to "go dark" — impeding even the operations of network operators to manage their infrastructures and meet legal compliance obligations. The parties and organizations pursuing this activity generally share common interests born of cryptology competition, anti-government paranoia, and libertarianism — marketed as their own extreme notion of privacy. On the commercial side, the parties involved seek competitive commercial advantages for unimpeded Over-The-Top (OTT) services or e2e encryption products.
The assumption among these parties and organizations is largely that the potentially enormous adverse consequences are not their problem, and there are no legal consequences to their actions. This article, which is taken from a larger treatise, examines some of the diverse legal mechanisms for control of this activity, especially judicial "causes of action" potentially arising from existing and emerging new case law that suggest the legal risk exposure of extreme e2e encryption zealots could be significant.
The technology
End-to-end encryption of communications is hardly new. The basic technology has been around since human antiquity and adapted with every new communication technology over the past few millennia. What is new is the ubiquitous availability of extremely high-performance computational capacity at the communication network end points like contemporary smartphones or laptops coupled with its exploitation by parties who don't bear the disastrous consequences of its widespread implementation. Those known adverse effects include a lengthy list that include the inability of network operators to manage their infrastructure, diminished resilience and performance of networks, the uncontrollable proliferation of malware and other threat vectors, the inability to meet critical compliance obligations including the detection of insider threats, and global exploitation for criminal, cyberwar, and terrorist purposes.
Responsible commercial and intergovernmental industry technical venues have for decades adopted appropriate forms of Transport, Network, and Application Layer Security — rejecting extreme e2e encryption capabilities — and instituted alternative techniques that mitigate the adverse consequences and provide a balance among the competing design requirements. However, this balance seems unsatisfactory to encryption zealots who are hellbent on leading an extremist vanguard toward some nirvana of ultimate e2e encryption. Indeed, it is ensuing now at the Singapore IETF meeting in November, notwithstanding that the implementations would likely be unlawful in that country under its Computer Misuse Act.
Non-judicial controls
The legal controls in this category include enforcement of treaty provisions, national organic law and regulations, and contractual requirements among providers and with enterprise or governmental customers.
The key provision that is dispositive in public international law is known as Article 34 and it asserts that Nation-States have a sovereign "right to cut off, in accordance with their national law, any ...private telecommunications which may appear dangerous to the security of the State or contrary to its laws, to public order or to decency." The provision has existed for 167 years, and reaffirmed without reservations by every nation in the world continually in the face of every new technology.
There is flatly no "right" to unfettered personal encrypted communication on publicly available infrastructures and services. Conversely, the Art. 34 treaty provision and its precursors are the basis for broad proscriptions against e2e encryption in many if not most nations, that include active blocking mechanisms by detecting the signature of the traffic. Although further treaty-based requirements concerning e2e encryption have not been formulated, they could see further amplification under the aegis of enabling the Art. 34 provision within any of the several International Telecommunication Union bodies. As the original home of the Transport Layer Security Protocol and an array of other encryption specifications more than two decades ago designed to meet treaty provision requirements, it has a well-established basis for action today if necessary.
Similar global technical specification requirements among all the law enforcement agencies have long existed and continue to be updated yearly. Today, communication services providers must assist in making decrypted communications available when lawfully compelled by government authorities, and the requirements for wireline and mobile services are implemented within almost all industry technical standards bodies.
The concerns and avenues of legal regress have also been amplified recently by the U.S. Deputy Attorney General who noted: "Technology companies almost certainly will not develop responsible encryption if left to their own devices. Competition will fuel a mindset that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity. Sounding the alarm about the dark side of technology is not popular. Everyone who speaks candidly about 'going dark' faces attacks by advocates of absolute privacy."
Other important non-juridical controls on e2e encryption are implemented through contractual requirements — especially for cloud data centres. Contract provisions can either require standardized capabilities to enable trusted exposure of e2e encrypted communications or block them entirely. For example, in essentially all enterprise network implementations — especially for governmental use — private individual e2e uses are broadly proscribed, and indeed, any use is a prima facie indicator of a security threat.
A significant new global initiative known as the Middlebox Security Protocol (MSP) to responsibly manage e2e encryption consists of a set of new Technical Specifications plus a report in the European Telecommunication Standards Institute (ETSI) in collaboration with an array of other industry and scholarly bodies.
Judicial controls
Judicial legal controls on e2e encryption exist in several forms — both criminal and civil. It is not apparent that criminal measures have been yet pursued — which could include criminal conspiracy or being an accessory to a crime. Both criminal causes of action are potentially available. It is civil causes of action, however, that have become prominent in recent litigation. These include both tort and the violation of anticompetitive provisions of the Sherman Act. Coupled with the tort liability is the increasing likelihood that insurers will increase premiums or outright deny coverage for those engaging in irresponsible e2e encryption as an activity with increased financial risk exposure.
The question of civil liability for end-to-end encryption became actively discussed in a seminal Lawfare two-part article in 2015. As the article notes "thinking through liability can be a useful way of thinking through how society wants to allocate risk. And one way of thinking about the regulation (or lack thereof) of end-to-end encryption is to ask who, if anyone, should pay when things go horribly wrong." The article also notes that Judge Posner's advance of notions of proximate causation helps further the potential for culpability.
This civil liability control continues to be pursued in several recent cases growing out of terrorist incidents. The cases typically argue that the defendants (variously Facebook, Twitter, and Google) have liability for: 1) aiding and abetting acts of international terrorism, 2) conspiring in those acts, 3) providing material support and resources, and 4) negligent infliction of harm, including wrongful death. Some of the litigation has been dismissed, albeit not without concern being expressed by both the judges involved and legal scholars.
Some of the cases remain ongoing. It seems like only a matter of time before one of these cases proceeds to jury trial and results in significant damage awards. In the meantime, the litigation costs are significant. Providers, organizations, and individuals advancing extreme forms of e2e encryption that are almost certain to aid and abet multiple forms of terrorism, criminal activities, and infrastructure harm seem likely to be facing civil complaints for resulting damages in the U.S. and other jurisdictions worldwide.
Another recent relevant legal development acting as a control is the case of Trueposition v. Ericsson and other companies in the context of standards-setting activities. Here the complaint under the anticompetitive provisions of the Sherman Act, alleged that some of the participants in the standards process, including those in leadership positions, engaged in a conspiracy to harm Trueposition's ability to compete in the marketplace. The case did overcome various challenges and eventually resulted in a settlement where no wrongful actions were admitted.
The case did, however, shake up the standards community into a realization that there were potential consequences to activities. In addition to the far-reaching implications concerning the court's exterritorial jurisdiction over a standards-making body discussed below, the case advanced an additional viable control on pursuing irresponsible e2e encryption that potentially causes significant adverse harm to telecommunication transport service providers and vendors. The likelihood of an antitrust complaint here is enhanced because the e2e encryption developments arguably significantly benefit OTT providers to the detriment of underlying carriers.
Jurisdictional issues and venue liability
Until recently, the organizations which supported the discussions of network technology standards and the participants considered themselves largely immune from civil liability. That changed in 2012 with the Trueposition litigation initiated in U.S. Federal Court against several companies including the standards venues European Telecommunication Standards Institute (ETSI) and the Third Generation Partnership Project 3GPP). The complaint involved alleged anticompetitive conduct that ensued within the standards-making processes. After several years of litigation costing the parties many millions of dollars, the court held that there was basis for jurisdiction even though ETSI was based in France. The parties entered into a settlement agreement recognizing that those acting in a standards-making setting can be held liable for wrongful actions occurring in that setting.
Those participating in the IETF — which only exists as a kind of virtual umbrella of individuals — face even greater exposure. Unlike a normal standards body like ETSI or 3GPP, the IETF does not exist as a legal entity. It is asserted that participants act as individuals, and several non-profit corporations provide supporting services.
Thus, there appears to be no actual anti-trust policy or rules — only a kind of guide for conduct. There is also no legal entity to reduce the exposure of individuals for technical specifications that subsequently result in significant harm. To the extent that civil tort liability exists for initiatives led in the IETF and adopted among the participants, including the pseudo-leadership positions, it is those individuals (and possibly their employers) who would appear to bear the culpability. The IETF Trust purchases liability insurance for the Trust and its Trustees for the purpose of holding the IPR. For those playing IETF roles, the Internet Society provides liability insurance and a promise of legal support for their activities. Individuals, however, would appear to participate at their own risk for potential consequences of their proffered specifications.
Potential Actions
There is a kind of simplistic, self-referential zeal among some in venues like the IETF who bandy about terms like privacy to justify technical platform actions that have extreme adverse consequences — believing they are the ultimate authorities in determining the righteousness of their actions and thereby imparted legal immunity. This activity, however, exists within a larger ecosystem of legal controls which are rapidly evolving. It is legal systems in our societies that balance consequences and determine responsibilities, not self-appointed technical groups.
There are three potential sets of legal controls that are emerging with respect to those who are developing, promoting, and implementing extreme end-to-end encryption (ee2ee) capabilities:
• Intergovernmental, Nation-State, and service provider proscription of these actions
• Litigation by parties adversely affected against those entities and individuals in the pursuit of compensation of resulting damages
• Adjustment to the insurance coverage provided by insurers to deny protection to the entities and individuals
Written by Anthony Rutkowski, Principal, Netmagic Associates LLC