Data-sharing agreement between the UK and US sets off alarm bells
A piece of legislation called the CLOUD Act has been the root of much debate in the past few days over its privacy implications.
The CLOUD Act requires social media services like Facebook to hand over private messages sent using communications networks. Previous attempts by Western governments to snoop on private conversations have been met with backlash by citizens.
Under former UK PM Theresa May’s government, a proposal was made that encrypted communications must be made accessible by authorities upon request. The excuse for such invasive legislation was that terrorists were known to be organising attacks using apps like Telegram.
Of course, only a small percentage of people use encrypted apps for nefarious purposes. Most ordinary people use encrypted apps for preventing leaks of legitimate business secrets, protecting sources, or for reducing personal data collection.
If authorities have access to such information, it’s an understandable concern. Whistleblowers like Edward Snowden could be arrested before disclosing any information about their government, or individual profiles could be created for each person to highlight them as a risk to that administration’s interests.
Security experts have pointed out that asking encrypted services to provide unencrypted access to authorities isn’t practical. Building in a ‘backdoor’ of any sort requires deliberately creating a vulnerability that at some point is likely to be discovered and taken advantage of by an unauthorised third-party, putting potentially millions of users at risk.
On YCombinator, WhatsApp head Will Cathcart wrote:
“We believe people have a fundamental right to have private conversations. End-to-end encryption protects that right for over a billion people every day.
We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these, we must stand up both for the security and the privacy of our users everywhere.”
Under the CLOUD Act, social media companies are not forced to break encryption or add backdoors in their apps. While communications must be handed over upon request, they may not even be in a readable state.
A modernisation of the current UK-US system is certainly needed. Currently, authorities rely on a law from the '80s to request digital information on suspects.
UK authorities must go through US courts and vice-versa to get permission to access private data for an investigation. This causes a significant delay which could mean life-or-death in some cases. Under the CLOUD Act, a UK court would be able to issue a request to access data the same as a US court (or, again, vice-versa).
“The fight over encryption continues,” wrote Facebook’s former chief security officer Alex Stamos in a tweet. “But the US/UK agreement hopefully reduces some of the pressure by giving UK [law enforcement] the same options as US [law enforcement].”
One human rights stipulation the UK side has added as part of the CLOUD Act is that any data it provides cannot be used as evidence in any US case where the death penalty is being considered.
The close security relationship between the UK and US has been strained in recent months due to the UK not committing to a ban of Huawei’s telecoms equipment; which the US deems a national security threat.
It’s understandable that alarm bells will ring whenever authorities give themselves extra powers to access private data, but the CLOUD Act seems fairly reasonable in comparison to past legislation proposals.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.