The part taken by our digital selves on internet in our daily lives seems to have no limits : we use email and instant messenging to communicate with our friends and relatives, we expose our private moments on social networks, we use our computers and phones to make payments, shop online or access and update our personal records with a wide range of administrations.
Businesses also rely increasingly on internet for supporting their activities, exchanging confidential data with third parties, customers or suppliers.
Of course, as we have adapted to this new way of life, criminals also did, and not a day goes by without its story of another identity theft or another large scale confidential data breach.
Of course, goverments all around the world have not been keen on letting individuals freely exchange unchecked data without developing the technologies allowing them to intercept and analyze such data. Existence of massive surveillance programs from various agencies have been widely documented recently.
Technologies exist which are allowing to protect individuals and businesses confidential data. They are grouped under the vocable of “cryptography”, which is the ensemble of techniques allowing to cypher / decypher messages.
Cryptography is almost as old as structured communication exists between men (one of the oldest cyphers being the “Caesar Cypher”, used by the Roman Emperor himself), and the ancestor of modern computer (the Turing Machine) has been invented in order to crack the cypher used by Germans during WWII.
Modern computing development in the 1980’s, putting a PC in (almost) everyone’s home (and increasing the computing power of these machines with a frequency which makes that John Doe’s today’s smartphone is more powerful than professional supercomputers of the early ages) has signalled a new arms race in the cryptography area, as ability to support a growing complexity of cyphers was developing at the same pace than ability to crack cyphers of growing complexity.
Governments have been quick to understand both the necessity to provide strong security of information in the public space, while maintaining an ability to oversee this information, and to protect their information and communications with an even higher level of protections.
For this reason, cryptography technologies have been very soon considered as “dual-use” (both military and civilian), and regulated as such.
In the Western world, this regulation mostly comes from two sources : the Wassenaar Arrangement, which originally regulated weapons development and trade for NATO countries, and which is now applicable in European Union, Russia and Canada (and beyond, as a total 41 countries are participating to the Arrangement and Israel and China, though not participating, have aligned their regulations with the Arrangement) , and, in the United States of America, a wide range of local regulations.
The US regulations have been able to cope with the growing civilian ability to benefit from strong data protection while maintaining government technological advantage, as any encryption technology in use in the US must be first accepted by the government, and no export of these technologies can be done without prior governmental authorization. Recent revelations on US surveillance programs show that the authorities are making sure they can access data “protected” using such encryption at will, which creates a challenge both in the US (individuals privacy concerns) and abroad (individual privacy concerns, governments and businesses confidential data protection against economic-related spying and US intelligence capabilities).
In countries applying the Wassenaar agreement, things have been very different, as thresholds provided for making the distinction between a military and a civilian encryption technology were not reviewed for a long period of time, creating a growing gap between the capabilities of individuals and businesses to protect themselves and the capabilities of criminal organizations to defy their security measures. Though these thresholds were reviewed in the 2000’s, they are still “lagging” behind, and prohibit individuals and organizations to protect themselves with truly strong encryption.
This seems to be one of the most important challenge from a legal prospective in today’s digital age : how can the general public be allowed to benefit from rights (security and privacy) which are warranted to him by any democracy “in real life”, and whose enforcement is necessary to maintain confidence in the digital economy (which, in turn, is increasingly becoming fundamental to the good standing of our modern economies), while still allowing government intervention, which is necessary to protect security and property of the general public ?
Complicating further this issue, the underlying philosophy of the digital age is the one of the “founding fathers” of Internet : libertarian to a point where the views of a majority of modern internauts in terms of freedom in the cyberspace can be assimilated to utopian programs which are advocated only by marginal political formations “in real life” (and to which most of internauts do not agree when it comes to “real life” matters).
In addition, goverments, motivated by the “war on terror” and the fight against cybercriminality (but also sometimes by old demons of will to control their population’s activity), are allowing themselves to pass exceptional legislations regarding the surveillance of the cyberspace which they couldn’t dream of in “real life” : capture and analysis of private correspondance, behavioural controls, restrictions on freedom of speech are now advocated by governments in an attempt to crackdown on a “wild west” internet space.
Last, the virtual character of this space gives it an extra-territorial status which makes both defining the applicable law and enforcing it quite complicated.
From an “all-out” approach, which is the one of the United States, who claim competency beyond their borders, to the rationalizing attempts of EU states trying to define precisely the applicable rules to the various possible cases regarding digital activities carried from / to their territories or involving their citizens , to the insulation approach chosen by China with the creation of a segregated internet protected by an electronic version of the Great Wall, strategies differ, generally reflecting both the nature of the political regimes, the orientations and the foreign policies of the nations.
Technologies allowing the general public to protect their property (critical data) and privacy (communications), ie to benefit in the cyberspace of their constitutional rights in real life do exist. They would be enough to protect from cybercriminals, whose international character render virtually immune to effecient actions from governments, these ones being therefore unable to exercise their obligation and mission to protect the security and property of their citizens.
However, the fact for these citizens to take matters in their own hands by using strong cryptography techniques is assimilated as violation of the regulations on weapons development, trade and use by the very same governments.
This schizophrenic position of the governments has to stop, and matters need to be clarified once and for all through the development of a proper Law which can be relied upon by both citizens and governments.
Various public driven projects, hopes for an “internet government, of the internauts, for the internauts by the internauts”, surface on a regular basis.
However, the final outcome might very well be defined by the current tendancy : laws compelling individuals to breach their own privacy when the governments aren’t able to do it by themselves. In Canada, couple of weeks ago, a traveler was incarcerated following his refusal to allow airport security to access the private, encrypted data, on his smartphone by entering himself the decryption code, as they couldn’t break in.