In the coming months, Google, and to a lesser extent, Facebook and Apple are on a collision course with American and foreign law enforcement over their pervasive, law-evasive, encryption of Internet traffic by default, which increasingly means law enforcement with a legitimate court-ordered-warrant, cannot search a Google, Facebook, or Apple users’ communications to investigate, prevent and prosecute terrorism or felony crime.
All three, to different degrees, are seeking to regain user trust lost by Snowden’s exposure of ubiquitous NSA spying, by deceptively trumpeting their encryption of traffic as a panacea for privacy vulnerabilities.
[Please don’t miss the summary below of that encapsulates how more pervasive, law-evasive, encryption is not a privacy/security panacea but a grave threat to both public safety and the global free and open Internet we know today.]
Each of these companies individually, and all three collectively, are so integral to Internet traffic generation and processing overall, that their pervasive, law-evasive encryption of Internet traffic by default could quickly transmogrify the free and open Internet into a more dangerous Dark-Net where there could be little effective sovereign law enforcement, national security or public safety online.
Apparently Google, Facebook, and Apple imagine that any press generated by their mass encryption and opposition to the FBI doing its job, is good for user trust and hence their brands and businesses going forward. Such a simplistic binary PR and lobbying frame appears to be another fit of Silicon Valley entitlement and naïveté that the laws and public safety obligations that apply to, and are respected by, most everyone else, do not apply to the Silicon Valley Internet aristechracy and the cool kids of the coding class.
A. Summary of risks with Google-Facebook-Apple law-evasive encryption by default:
- Could facilitate undetectable anti-competitive and collusive behavior.
- Is a de facto digital war on sovereign authority and accountability.
- Cherry-picks sovereign benefits, while evading sovereign responsibilities.
- Is not a privacy/security panacea, but an existential threat to a global free and open Internet.
- Violates CALEA and FCC’s Title II net neutrality rules and transparency requirements.
B. Google-Facebook-Apple law-evasive encryption by default risks
Google, Facebook and Apple obviously have not thought through how potentially threatening, destructive and irresponsible pervasive, law-evasive encryption is to sovereign rule of law.
Let’s discuss what these companies are badly and irresponsibly missing concerning encryption.
1. Law-evasive encryption could facilitate undetectable anti-competitive/collusive behavior.
Collusive, law-evasive encryption -- by three of the most dominant communications providers in the world -- could quickly and effectively cartelize most Internet communications traffic and also make it much harder for sovereign law enforcement authorities to effectively investigate these companies’ for collusion or for other potential illegal activities.
Google, Facebook, and Apple are the three largest communications service providers in the U.S. and the world. Google and Facebook each provide communications services for over half of Americans and well over a billion users each worldwide. Apple is the most valuable company in the world; Google is in the top five and Facebook in the top twenty. Google-Android has 90% share of the licensed mobile operating system market and the #1 browser in Chrome. Google also is involved with processing over half of the Internet’s traffic in one way or another. Facebook is the largest social network in America and in the world. These three world-leading communications entities collectively help more people communicate in more ways than virtually any other companies on the planet. Consequently, they have undeniable public responsibilities to obey sovereign laws and protect public safety.
Some sovereign laws that pervasive encryption would enable these companies to evade include antitrust, privacy, property, and criminal laws.
All three of these companies enjoy dominant market positions. Pervasive law-evasive encryption also could make it much easier for them to engage in anticompetitive or collusive cartel behavior without detection or investigation from sovereign law enforcement authorities.
Apparently these companies imagine there is somehow political strength in numbers if all three dominant companies defy sovereign authorities all at once. The opposite is true; numbers could implicate antitrust collusion, or conspiracy, legal liabilities.
The lack of self-awareness of the implications of these companies’ individual and collective market power here is stunning.
2. Law-evasive encryption by default is a de facto digital war on sovereign authority/accountability.
Google, Facebook and Apple effectively are asserting that they are above the law, and in doing so they effectively are launching a de facto digital war on sovereign authority and accountability.
(It is important and ironic to note here that Google currently is suing to block a lawful State Attorney General subpoena for Google information related to Google’s alleged aiding and abetting a variety of criminal activities. Forty State AGs just filed a brief in court against this Google outrageous claim of immunity to state law and State AG investigations.)
At the same time the U.S. Constitution prohibits unreasonable search and seizure, it authorizes legitimate and reasonable search and seizure in accordance with the law.
As the entities that are encrypting and decrypting the traffic on users’ behalf, if they continue to disobey lawful court-ordered search requests to protect the public safety, they risk engaging in willful blindness to the law and being complicit in the aiding and abetting the terrorism and criminal activity that their encrypting activity could enable, foster, cover-up and protect from investigation/prosecution.
Increasingly sovereign nations around the world will require and demand law enforcement access as a condition for these companies to continue to conduct business in their countries lawfully.
Google’s position here is particularly very awkward from a branding perspective and potentially even higher risk legally. Why?
At core, Google is telling the USG DOJ/FBI that they won’t respect or comply with a constitutionally-authorized, court-ordered warrant for a wiretap of a user’s encrypted data or communications, when Google has been, and is, involved in illegal widespread wiretapping of tens of millions of American users’ internet traffic -- Gmails, home WiFi signals, Chrome browser traffic, Google Nestcam audio and video recordings, and Google Glass audio and video recordings – without people’s consent.
By refusing to comply with legal FBI wiretaps, Google effectively is double daring FBI Director Comey to investigate Google’s widespread wiretapping for commercial gain with no state or Federal authorization or consent of the secretly-recorded.
Only Google has the Goobris and political influence to tell the USG that they enjoy the power to illegally wiretap Americans with impunity, but the FBI can’t legally wiretap with a constitutionally-authorized, court ordered, warrant.
3. Google, Facebook and Apple want sovereign benefits, without sovereign responsibilities.
These companies are forgetting that in free countries, the sovereign social contract is two-way street.
When China hacked Google in 2010, and reportedly had the run of Google’s system and stole their entire password system Gaia per the New York Times, Google understandably ran into the arms of the Government and the NSA to protect them going forward. And when Apple alleged that Google stole smartphone intellectual property from Apple, Apple sought redress in U.S. and international courts.
The high-level, public policy position of these companies here is both indefensible and unsustainable because it is based on the implicit double standard that the Government must protect their corporate safety, but not the public’s safety.
In other words, these three companies want all the benefits and freedoms of sovereign protection of their property and profit, with none of the most important legal and social-ethical, corporate-citizenship obligations and responsibilities necessary to broadly protect the safety and property of the public.
4. More universal law-evasive encryption is not a panacea, but an existential threat to the Internet.
Google, Facebook and Apple appear naïve about the implications of a more universally encrypted Internet – and how more universal encryption is less the perceived panacea of privacy and security problems on the Internet and more of an existential threat to a global free and open Internet.
Think a minute about the implications of near universally encrypted Internet traffic going in and out of a sovereign country. With current data flow transparency, countries have the ability to discern a different kind of traffic, which greatly facilitates today’s largely free flow of information over the Internet between the free world.
The higher the percentage of law-evasive encrypted traffic coming into or out of a country that a country’s law enforcement and military authorities cannot understand or mitigate if necessary, becomes a proportionally bigger and bigger threat to that nation’s sovereignty over time.
That’s because a nation could no longer detect, what traffic is likely safe versus a likely threat -- like a massive denial of service attack, malware, spam, stolen data, etc.
In other words, currently benign traffic that becomes encrypted could enable bad/dangerous encrypted traffic that would otherwise standout to more easily hide inside the near universal law-evasive encrypted traffic, much like a malefactor can blend into a crowd and hide in plain sight due to volume of other people.
Many countries could respond to the new uncertainty and un-addressable risk by trying to block unknown encrypted traffic into and out of their sovereign borders while allowing unencrypted traffic through after it passed through their sovereign filters.
Thus a more pervasive law-evasive encrypted Internet risks becoming a “splinternet” where the perceived costs/risks of allowing some Internet traffic into a sovereign country could outweigh the perceived benefits.
These companies also appear to not appreciate, that if their traffic is unknowable to others but not them (because they can decrypt traffic to enable their company apps), they are essentially saying that it is acceptable for them to record and scan all traffic flow through their apps and data centers for their commercial purposes, but it is unacceptable for sovereign nations to know anything about that traffic flow going in and out of their countries for their sovereign law enforcement or national security purposes.
EU competition and data protection authorities will soon learn, that Google and Facebook’s encryption of most all of its traffic, is a clever and effective way for Google and Facebook to hide their relative dominances and abuses of dominance and data protection.
The EU should expect both companies to perversely imply or claim that if they encrypt all their users’ traffic that would make them the new guarantor and enabler of better data protection of the masses and make the EU data protection authority (and other sovereign privacy authorities) superfluous or unnecessary at least in their cases.
Importantly, the UK reportedly is only among the first countries to begin taking a hard-line against entities that encrypt traffic without a mechanism for legitimate government decryption for law enforcement and national security purposes.
Simply, near universal encryption is a cybersecurity nightmare for any sovereign country intent on controlling their sovereignty in the physical and virtual world. Even more simply, near universal commercial encryption of Internet traffic facilitates the de-sovereign-ization of the Internet.
To put this in real life perspective, more universally encrypted international Internet traffic effectively is like preventing a sovereign nation from protecting and controlling its sovereign borders like it can in immigration, travel, or with physical imports or exports, if it chooses to do so.
In the EU, Google’s stance that they will not allow EU authorities to know what is happening to European users’ traffic, gives Google a new way to evade accountability to antitrust and data protection law, because how can the EU authorities adequately investigate Google, if they are hiding and covering up large amounts of data that the EU previously could subpoena?
5. Under FCC Title II authority, they must comply with CALEA & net neutrality transparency.
Google, Facebook and Apple are de facto common carriers under the FCC’s reclassification of the Internet as Title II common carrier telecommunications subject to: net neutrality; and CALEA – FBI access to telecommunications with a warrant.
Existing law and FCC’s asserted Title II authority over the American Internet, combined with FCC cooperation under their founding statutory Title I authority, is more than enough to compel these companies to provide court-ordered access to their encrypted telecommunications traffic over time like they have under CALEA with traditional telecommunications providers for a couple of decades.
Pervasive law-evasive encryption of Internet traffic by the largest communications providers in the U.S. and the world, effectively would prevent any ISP reasonable network management and prevent anyone or the FCC from knowing if Google, Facebook or Apple was respecting net neutrality in not blocking or throttling its world-leading communications traffic on the Internet.
And pervasive law-evasive encryption could be the penultimate antithesis of the FCC’s net neutrality policy of requiring transparent network management.
C. Conclusion
In sum, Google, Facebook and Apple’s increasingly pervasive, law-evasive encryption is not the purported privacy and security panacea these companies are claiming it to be.
It is more accurately threatening, destructive, and irresponsible behavior that unwittingly could transmogrify the free and open Internet into a more dangerous Dark-Net where there could be little effective sovereign law enforcement, national security or public safety online.
Forewarned is forearmed.
Scott Cleland served as Deputy U.S. Coordinator for International Communications & Information Policy in the George H. W. Bush Administration. Cleland is President of Precursor LLC, a consultancy serving Fortune 500 clients, some of which are Google competitors. He is also author of “Search & Destroy: Why You Can’t Trust Google Inc. Cleland has testified before both the Senate and House antitrust subcommittees on Google and also before the relevant House oversight subcommittee on Google’s privacy problems.
