The following is an enhanced transcript of my comment at the following panel of CyFy2016, September 30:
12:20 . 13:20 The ‘Trilemma’ of Access, Privacy and Security (Aftab Mahtab)
This panel will take stock of some of the recent developments like the encryption debate that purportedly pits privacy against legitimate access to electronic data. It will identify norms that must be developed anew to reconcile these differences.
1. Isabel Skierka, Researcher, Digital Society Institute, European School for Management and Technology
2. Seda Gurses, Post-Doctoral Researcher, Center for Information Technology Policy, Princeton University
3. Solange Ghernaouti, Professor, University of Lausanne
4. KS Park, Director, OpenNet Korea
5. Alexander Klimburg, Director, Cyber Policy And Resilience Program, Hague Centre for Security Studies
6. Paula Kift, Ph.D Candidate, New York University (Chair)
I come form a country where access to Internet was strictly restricted for the purpose of security. Access was permitted to only those who registered their real names and national ID numbers and thereby sacrificed their privacy. Fortunately, it was struck down by the Court who emphasized the value of online space in overcoming the offline hierarchy according to lines of gender, age, wealth, social status, to formal democracy.
Having dealt with a dilemma between individuals’ access to Internet, and privacy, now, let’s move on to a dilemma between government’s access to private information and privacy. Balancing between privacy and security, or legitimate access to data for investigation purposes, has been a problem not just in cyberspace but offline as well, and we have already concocted a solution to that, which is a warrant doctrine which means that, officials political accountable to the target of investigation and obligated to be concerned about the data subject’s privacy and disinterested in the progress of criminal investigations (they are usually judges of course), these judges will review whether such government access to user information is proportionate in light of the likelihood that incriminating evidence may be found there.
I think that re-contemplating the warrant doctrine resolves many of the difficult issues in cyber security. For instance, MLAT bypass reform is trying to remove jurisdictional hurdles to legitimate access but it will likely violate the warrant doctrine because the foreign judges not politically accountable to the American company hosting the target information will decide on the value of that company’s confidentiality.
We can apply that to the encryption debate. Warrant is a compromise between a need to investigate and the suspect’s presumption of innocence. A problem goes like this. Forcing someone not proven to be guilty through a trial and therefor presumed innocent, forcing that person to cough up material, will be a violation of presumption of innocence but then again, without that information, that trial cannot proceed. What do you do? We will have a neutral official to decide, not whether the person is guilty, but simply whether the person is probably guilty (hence probable cause). That is a solution we accepted. This means that warrant is a negative mandate I.e., the government should not restrict people’s privacy unless there is a probable cause, and it cannot be an affirmative measure. It is not supposed to order private parties around to do anything affirmatively, like writing a new software as in the case of Apple v. FBI.
Asking Apple to write a single-device iOS is different from asking a safe company to make a new key for an old long forgotten safe. Coding is not a physical act but an intellectual act. It is like painting, writing, sculpting, orating, etc. Coding is creative activity, more involved than simply giving information. If Picasso cannot be forced to paint for Franco or a republican, Apple cannot be forced to code for DOJ. No matter how overriding the public interest is, coding or invention cannot be compelled. Coders have absolute ethical rights to refuse to write the ethical equivalents of Volkswagen emission manipulation software. Apple’s refusal is an ethical stance that should be respected.
Another related question is whether you can force the companies and individuals into turn over the decryption keys so that contents of encrypted communications can be made available for investigations. Warrant is a negative mandate that take as its starting point what people have freely done under presumption of innocence. Different modes of communication can be used by individuals, and if they choose the ones not easily available for wiretapping, so be it. We should not try to take away the choice of everybody just to track down a minority of terrorists. The Korean Constitutional Court struck down real name identification law for the same reason, characterizing the law as an attempt to treat all the citizens like a potential criminal just to catch a small number of illegal information.