When the Cops Come A-Knocking: Handling Technical Assistance Demands from Law Enforcement

Presented at Black Hat USA 2016, Aug. 4, 2016, 12:10 p.m. (50 minutes).

What kind of surveillance assistance can the U.S. government force companies to provide? This issue has entered the public consciousness due to the FBI's demand in February that Apple write software to help it access the San Bernardino shooter's encrypted iPhone. Technical assistance orders can go beyond the usual government requests for user data, requiring a company to actively participate in the government's monitoring of the targeted user(s). Companies that take seriously the task of securing of their users' information and communications must be prepared to respond to demands to disclose, proactively begin storing, or decrypt user data; write custom code; allow the installation of government equipment on their systems; or hand over encryption keys. Advance preparation for handling technical assistance demands is especially important now since the U.S. Department of Justice has been so aggressive with companies that resist broad or novel surveillance orders. In the "Apple vs. FBI" case, America's richest company faced a motion for contempt of court and derisive rhetoric from U.S. officials before it enlisted the nation's top lawyers in its defense and ultimately fought off the case. In stark contrast, encrypted e-mail provider Lavabit unsuccessfully opposed multiple court orders to compel it to decrypt and give law enforcement the e-mails of its most famous customer, Edward Snowden, and even to hand over its private encryption keys. The Fourth Circuit Court of Appeal did not look kindly on Lavabit, which lost its legal battle and shuttered its operations after its legal defeat. In 2007, Yahoo! unsuccessfully battled warrantless wiretapping in secret before the Foreign Intelligence Surveillance Court. The price for seeking to protect its users' Fourth Amendment rights? DOJ argued that Yahoo! should be fined $250,000 a day for non-compliance while the litigation was pending.

This talk, given by two Crypto Policy Project attorneys from Stanford Law School's Center for Internet and Society, will teach an enterprise audience what they need to know about technical-assistance orders by U.S. law enforcement, so that they can handle demands effectively even if they do not have Apple-level resources. We'll go over what sorts of assistance law enforcement may demand you provide (and has demanded of companies in the past), whether they have authority to require such assistance and under what law(s), and a company's options in response.


Presenters:

  • Riana Pfefferkorn - Stanford Center for Internet and Society
    Riana Pfefferkorn is the Cryptography Fellow at the Stanford Center for Internet and Society. Her work focuses on investigating and analyzing the U.S. government's policy and practices for forcing decryption and/or influencing crypto-related design of online platforms and services, devices, and products, both via technical means and through the courts and legislatures. Riana also researches the benefits and detriments of strong encryption on free expression, political engagement, economic development, and other public interests.
  • Jennifer Granick - Stanford Center for Internet and Society
    Jennifer Granick is the Director of Civil Liberties at the Stanford Center for Internet and Society. Jennifer returns to Stanford after working with the internet boutique firm of Zwillgen PLLC. Before that, she was the Civil Liberties Director at the Electronic Frontier Foundation. Jennifer practices, speaks and writes about computer crime and security, electronic surveillance, consumer privacy, data protection, copyright, trademark and the Digital Millennium Copyright Act. From 2001 to 2007, Jennifer was Executive Director of CIS and taught Cyberlaw, Computer Crime Law, Internet intermediary liability, and Internet law and policy. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.

Links:

Similar Presentations: