The case of where next for Digital privacy?
Prof, Mark Skilton, Prof. Irene Ng, Warwick Business School
Is Encrypting data protecting privacy? if the FBI can hack a phone, is privacy dead?
The December 2015 terrorist attack in San Bernardino, California has been felt around the world in that it touched not only the terrible events that seem to proliferate in society but the paradox of having both privacy and security at a price. It seems that resorting to a law created in 1790, the All Writs Act (1) to push through a demand for access to the mobile phone property and the new laws being drawn up raise more questions on how is access and trust for privacy governed in the digital connected economy?
What does this mean for the kind of world we live in and the impact of technology if everything is a kind of “cat and mouse game” between technology companies, authorities, citizen, hackers or terrorist?
Who is the keeper of my house?
The easiest way to describe the FBI v Apple saga is to consider the situation being played out in the physical world. The FBI needs to access the terrorist’s physical belongings which is of course at his house. If the terrorist owns his house, the FBI would just get a court order, break the door down and gain access to the house and all its belongings. If the terrorist rents his house, a court order is again needed to request the landlord to provide access, perhaps with the master key the landlord owns. In the case of FBI v Apple, Apple is not the landlord or the house owner. Apple is the guy who made the front door lock. And they made it in such a way where if you try to break down the front door, the lock incinerates everything in the house and burns the house down. So FBI requested Apple to modify the lock so that they could get in, but Apple is not willing to comply because that would just compromise all the front door locks in the world they have supplied and the ability for other governments or nefarious entities to try to break in once their lock can be somehow picked.
Somehow, the FBI finally figured out how to open the front door lock (not really that hard if you ask some of the techies out there) without burning down the house and the case is now dropped.
To understand data on the phone as analogous to physical belongings is probably a good place to start in terms of the wider implications of the case and the state of play for personal data driven business models.
The Honest-not-Curious business model
Apple runs what we could term as Honest-not-curious business model for personal data. They have gone to inordinate lengths in terms of security and privacy to ensure that no one, not even Apple staff, can get into your data if you don't let them. Apple’s principle is that you've bought the phone, and with it some free iCloud space, and for the money you've paid, they won't peek at your data, nor make money from your data on phone or on cloud. Of course, the honest-not-curious model applies specifically to newer iPhones. Apple will turn over iCloud and other data it stores to law enforcement when a court order is issued (2).
The Honest-but-Curious business model
This is the more common business model, practiced by the likes of Google and Facebook. In this model, programs and algorithms keep your data secure, but privacy may be compromised because information passed may be looked at. Often individuals allow this in return for free services. The analogy to the physical world is that you rent your house from a landlord which has a little robot come in everyday to make a note of your belongings and what you have in your fridge and your larder. In return, you might not have to pay rent and even get vouchers for the products you normally consume.
The challenge of the HBC model is of course, mission creep. Since the landlord owns the key to the house, and the robot, what's to stop him from going in more times in the day at the behest of other firms, or look at other stuff that you didn't authorize him to look at. This is especially so when other advertisers comes calling, analogous to, say, those interested in the books in your house, or maybe your private clothing. At which point do free services become less worth the intrusion? Of course, the fact that the firm already have access, opening the door for the Feds is not illegal, in fact, a court order may not even be necessary and we can see governments exploiting this. The important point here is that that Apple makes most of its revenue selling hardware. Google, Facebook and other all-digital entities that run the HBC don't have that luxury, which is why they let advertisers run amok throughout their online services.
The issue for privacy is therefore the question of how to ensure the firm or government is incentivized towards being more honest, rather than more curious? The current economic incentives clearly point towards curiosity for HBC business models and honesty for HNC business models. In dealing with the Feds, HNC firms can legitimately request for a court order before handing over data. With HBC, it is less clear if the Feds need to.
What possible futures now for privacy?
The question of what future for data privacy is a fight between increasing encryption and new laws seeking access, but what is at stake is much more fundamental, it is preserving our rights and whom we trust to maintain our rights. The recent WhatsApp announcement of end-to-end message encryption (3) for its 1 billion monthly active users just pushes these worlds further apart. The WhatsApp use of AES-256 standard military strength security by the Facebook owned consumer App does place control of access again between the tech company and the end user.
Better Custody and access rights control
The wider implication of the FBI v Apple and indeed, personal data issues in general, is the need for a separation of concerns for personal data.
To emulate the physical world where property rights and their legal frameworks are well established, we can think of our phones as a bag that we bought from the manufacturer. if you wish to borrow the bag, or look at its contents, it is based on my terms. Break those terms and I take my bag back or I could sue you. This is possible because custodial (property) rights can be treated the same as physical property rights in law, in that they are ‘super rights’ where the holder of that right can assign access and other rights of the belongings to others. The term ‘super’ is used here to denote the highest degree of property rights based on common law and most widely applicable - possession, use and disposition, a law defined back in 1790 (4). But whether data can or cannot be ‘owned’ the way property is dependent on the type of data and the use, there is a case that explains it in Google v perfect 10 (5) there is no case law as yet to conclusively say if data can be treated as property, but Apple will surely argue this.
At the point where data is created, HNC firms could be argued as manufacturers of bags. They are keen to hand over custodial (property) rights of the data to the user and then raise their hands when the Feds turn up to say ‘get a court order’ or ‘ask the user, the data is theirs’. There is a difference however, in that the manufacturer of this particular bag has an obligation to secure the data, but arguably without the need to be the rights owner. Security is therefore a service by Apple without rights of access – the lock maker’s mantra. In such a HNC world, the legal frameworks around property rights will apply and there may be no need for new laws.
Where the separation of concerns of data use becomes muddy is in the HBC world. HBC firms do not hand over custodial rights but given the risk of custody both in terms of security and reputation, they are starting to take steps to give some rights over to users. WhatsApp is a case in point. Their recent move to encrypt all messages is a move to grant ‘keys’ in some respect to users for their content data messages. WhatsApp still retain the metadata, which can be used for ad targeting. Does encrypting messages imply the assignment of full property rights of the content to the user? To the extent that even WhatsApp cannot create ‘back doors’ and the Feds cannot ask Whatsapp for the data? This has not yet been ascertained.
Still, it is clear that the market is seeing privacy and security as reputational risks and firms are testing out HBC models that would mitigate the risks of custody but yet allow access to personal data. We are already seeing a movement of personal data platforms coming into the market, for example, the HAT project at http://www.hubofallthings.com (6) where users are being given a platform to take on the custodial rights of data and sharing it back with firms. What is needed are clear legal frameworks for HBC firms and users and the alignment of economic incentives that build rather than erode the trust in the system.
As we move towards a world of Internet of Things, it is likely that the market will be pluralistic in terms of 'custody' of personal data. The likes of Google and Facebook will always want to retain it, but many small companies making IoT devices might prefer not to take the privacy or reputational risk and opt for user containers with access rights back as an alternative. Legal frameworks will have to deal with an increasing complex issue of possession, use and disposition for data at rest and in use, as they had to back in 1790 for property.
With so much of our lives being recorded as “digital living” the number of possible attack touchpoints is real and needs protection.
The current stand-off will continue in this paradox of a more connected society but at what cost for privacy.
One thing is for sure in technology innovation is that disruptive and something new will emerge which could be radically different.
The All Writs Act 1790
http://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf "For government information requests, we comply with the laws pertaining to global entities that control our data and we provide details as legally required. For content requests from law enforcement agencies outside the U.S., with the exception of emergency circumstances (defined in the Electronic Communications Privacy Act 1986, as amended), Apple will only provide content in response to a search warrant issued pursuant to the Mutual Legal Assistance Treaty process or through other cooperative efforts with the United States Department of Justice."
WhatsApp Encryption announcement. April 2016
Definition of Common law (Wilson, 1790, 1791)
Ownership of data legal case - Google v perfect 10
HAT The Hub-of-all-things http://www.HATDex.org