October 11, 2020

International law enforcement appeals to tech companies not to implement end-to-end encryption

On October 11, 2020, the US Department of Justice issued a joint statement with the Australian Minister for Home Affairs, the New Zealand Minister of Justice, the Canadian Minister of Public Safety and Emergency Preparedness, and the governments of India and Japan, calling for “strong encryption” while urging technology companies to work with governments to (1) embed public safety in system designs in order to facilitate investigation and prosecution, among other objectives; (2) enable law enforcement to access content in a readable format, where proper legal processes have been followed, and; (3) incorporate the need for legal access into design decisions.

The letter is part of a long-running campaign by the DOJ and international allies against end-to-end encryption, which enables only end-users to decrypt the content of communications, and leaves service providers unable to produce readable content in response to search warrants and wiretap orders.  In addition to the international letter, the DOJ’s efforts include:

  • A July 2018 Report of the Attorney General’s Cyber-Digital Task Force, in which a section called “The Going Dark Problem” describes the government’s inability to access data in the context of data retention, anonymization, provider compliance, foreign-stored data, data localization laws, tool development and , as well as encryption;
  • A joint statement by the governments of the United Kingdom, the United States, Australia, New Zealand and Canada in July 2019, concluding that tech companies should “include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data”;
  • An October 3, 2019 open letter to the CEO of Facebook signed by the US attorney general, the Home Secretary of the United Kingdom, the Australian Minister for Home Affairs, and the US Acting Secretary for Homeland Security, asking the company not to proceed with the plan to provide end-to-end encryption, without assurances that law enforcement will have access to encrypted communications, if authorized by a court;
  • An October 4, 2019 summit entitled Lawless Spaces:Warrant-Proof Encryption and its Impact on Child Exploitation Cases;
  • Dozens of Op-Ed pieces and public statements, and;
  • The introduction, on June 23, 2020, of legislation that would require the makers of consumer devices to provide law enforcement with access to encrypted data when authorized by a judge.

The October 2020 statement focuses on two approaches to the problem of warrant-proof communications:  requiring tech companies to establish terms of service for users that would grant the companies authority to access data under certain circumstances, and disallowing end-to-end encryption that cannot be decrypted by the tech company or law enforcement.

Perhaps more significant from a corporate standpoint is the DOJ’s focus on encryption issues (and ephemeral messaging) in its guidance on Foreign Corrupt Practices matters.  In the FCPA Corporate Enforcement Policy, the discussion of credit for voluntary self-disclosure, full cooperation and timely and appropriate remediation defines the items required in order for a company to receive full credit, including:

Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations

Similarly, guidance published in the form of a National Exam Program Risk Alert by the Office of Compliance Inspections and Examinations of the US Securities and Exchange Commission warns investment advisers that in order to meet the records retention obligations under the Advisers Act Rule 204-2 (the “Books and Records Rule”), organizations should prohibit the use of apps and other technologies that can be misused by allowing anonymous communications, prohibiting third-party viewing or back-up, and enabling automatic destruction of messages.  OCIE adds that firm procedures should require employees to move such messages to other electronic systems that can be used in compliance with the firm’s books and records obligations.

The Financial Industry Regulatory Authority, a non-governmental body that writes and enforces the rules governing registered brokers and broker-dealer firms, has also expressed concern about this issue.  In its April 2017 Regulatory Notice on Social Media and Digital Communications, FINRA reiterates that firms are required to retain records of communications related to its business, regardless of the medium or device used, and that any firm intending to permit its associated persons to make business communications through text messaging apps or chat services must ensure that it can retain records of those communications.

Together, these developments point to increased scrutiny and less tolerance on the part of enforcement agencies when it comes to control and access to encrypted content, and retention of all business communications, no matter the medium.

Joint Statement | OCIE Risk Alert  | FINRA Guidance