Welcome back for another week of What's Next, where we report on the intersection of law and technology. This week, we asked law experts to predict how companies might be forced to comply with providing law enforcement access to encrypted products. Plus, the U.S. Department of Justice proposed a new rule this week for gathering DNA samples from "from non-United States persons who are detained under the authority of the United States." And a Saudi refugee sues Twitter for accidentally employing an alleged agent of the Kingdom of Saudia Arabia as an engineer. Let's chat: Email me at [email protected] and follow me on Twitter at @a_lancaster.

Every Time One Backdoor Opens

Like the ticking of time or the passing of seasons, technologists and law enforcement are once again at odds over calls to limit encryption or to create backdoor access channels for criminal investigations.

Earlier this month, U.S. Attorney General William Barr, and representatives from the United Kingdom and Australia penned an open letter to Facebook calling on the company to delay its plans to advance encryption deployed within the What's App messaging platform to Facebook Messenger and Instagram messaging. That same day, the three countries also announced a Bilateral Data Access Agreement aimed at speeding up requests for online information sharing to a matter of weeks or days, instead of months or years. In an article for The Guardian, whistleblower Edward Snowden wrote the renewed calls for backdoor access to encrypted products could mean "our public infrastructure and private lives will be rendered permanently unsafe."

Although some say the security community is stuck in a feedback loop of ideologies on the issue, many legal experts have been considering what the world would look like if companies were indeed forced to provide backdoor access to encryption. Here's how legal futurists predict such a policy shift could go down.

Perhaps the most obvious path to expanding law enforcement access to encrypted products is legislation. Riana Pfefferkorn, associate director of surveillance and cybersecurity for Stanford Law School, said the legislation would have to cover a fairly broad range of industries, depending on if it was centered on unlocking encryption for devices, such as cell phones, or platforms, such as messaging apps. One piece of legislation that could be revived is 2016's Compliance With Court Orders bill drafted by Sens. Dianne Feinstein (D-CA) and Richard Burr (R-NC), which required companies to comply with court orders asking to decrypt user data. The proposal was never assigned an official bill number after the security community "laughed it out the room," Pfefferkorn said. However, she has been hearing rumblings that the Senate Judiciary Committee might take this issue up again. "Sen. Feinsten is on Judiciary, so we might see some efforts by her to try to reintroduce her bill," she said.

Stewart Baker, a partner at Steptoe & Johnson and former general counsel at the National Security Agency, said neither the broader fight or the legislation around it are new. Baker suspects legislation would mirror the Federal Communications Commissions' response to how the emergence of digital telephone exchanges limited the government's ability to conduct wiretaps. Although the Communications Assistance for Law Enforcement Act (CALEA), required telecommunications companies to comply with wiretapping activities, the government zeroed in on the major players replacing traditional telecom companies.

"There's plenty of precedent for applying this only to big companies with real reach that have a substantial customer base," Baker said. "I'm guessing when push comes to shove, law enforcement and the Justice Department would accept that because it seems to solve the biggest problem that they have." He sees any legislation mostly applying to behemoths such as Google, Microsoft and Facebook.

Legislation enforcing backdoors would have to close two loopholes CALEA created, Pfefferkorn said. When it was passed in 1994 during the infancy of the world wide web, the law provided an exemption for online information services. The legislation also still gives companies the option to deny law enforcement access if their products are fully encrypted, so that not even internal controls can break through. "The new law would have to say you must retain the ability to decrypt for law enforcement, rather than if you have the ability to decrypt then you must do so."

Appropriating funds to pay for the costs of complying with a court order might also be included in legislation, Pfefferkorn said, which could create a "perverse incentive" to "sell customers out" and treat government access as a profit center.

Another provision that could end up in the final draft of a bill is an immunity clause protecting companies from litigation as a result of backdoor breaches, said Amie Stepanovich, executive director of the Silicon Flatirons Center for Law, Technology, and Entrepreneurship at the University of Colorado Law School. "You're essentially incentivizing people to make their product less secure, which means those products would potentially be more open and vulnerable to data breaches or other sorts of attacks," Stepanovich said. "That leaves companies open to legal liability. So, I can imagine a legislative proposal that would want to provide some sort of immunity acting under the government to build one of these capabilities."

Besides a domestic legislative process, companies could be forced to change their approach to encryption through a foreign legislative mandate. Australia and the U.K. already have legislation on the issue, she said. Stepanovich suspects companies are thinking less about contingency plans for U.S. encryption law as they create concrete action plans for what they would do if they get served a court order from a foreign country that already has enforcement measures in place.

Lawsuits and public controversy could be another way to force the creation of backdoors. Stepanovich points to a case such as Apple v. FBI, where the government argued for access to iPhones in the wake of the San Bernadino shooting.

Alan Rozenshtein of the University of Minnesota Law School said the change could come merely from a swing in public sentiment. "It might be hard to imagine now, but if there's a rash of violent crime, terrorism, public pressure might change," Rozenshtein said.

Mapping Immigrant DNA

This week, the U.S. Department of Justice floated a new policy proposal that would streamline law enforcement's collection of DNA samples from migrants.

The amendment would take away the Secretary of Homeland Security's authority to exempt certain non-U.S. citizens from DNA collection requirements. "This will restore the Attorney General's plenary legal authority to authorize and direct all relevant Federal agencies, including the Department of Homeland Security, to collect DNA samples from individuals who are arrested, facing charges, or convicted, and from non-United States persons who are detained under the authority of the United States," according to the proposal signed by U.S. Attorney General William Barr.

The DNA Fingerprint Act exemption was originally put in place nearly 15 years ago to account for operational hurdles, such as "recognizing that it might not be feasible to implement the general policy of DNA-sample collection immediately in relation to the whole class of immigration detainees, including the hundreds of thousands of illegal entrants who are taken into custody near the southwest border of the United States each year," according to the proposal. However, Barr and the DOJ argue that federal agencies now conduct widespread DNA sampling, thanks to technological advancements.

Naureen Shah, senior policy and advocacy counsel with The American Civil Liberties Union has called the proposal "transparently xenophobic in its intentions."

"Forced DNA collection exposes sensitive, personal information not only about those in immigration detention, but also their family members, including U.S. citizens," Shah said in a statement. "Instead of allowing this administration to treat immigrants as threats to be surveilled, Congress should prevent any appropriations from being used for this DNA collection. It should also cut funding for immigration detention, which has soared to an unprecedented level of more than 50,000 people a day."

President Donald Trump has yet to appoint a successor for former Homeland Security Secretary Kirstjen Nielsen, who resigned in April. The Wall Street Journal reported earlier this week that Trump's top picks for Nielsen's replacement—acting U.S. Citizenship and Immigration Services head Ken Cuccinelli and acting Customs and Border Protection Commissioner Mark Morgan—are not eligible for the position.

Public comment on the proposal is due Monday, Nov. 11.

Saudi Activist Sues Twitter Over Privacy Breach

A political dissident and "close friend" of murdered journalist Jamal Khashoggi is seeking to hold Twitter accountable for allegedly hiring a hostile agent of the Kingdom of Saudia Arabia (KSA).

Omar Abdulaziz, an activist who lives as a Saudi refugee in Canada, claims Twitter has exposed him, his family and his friends to "imprisonment, torture, and even death," according to a complaint filed in the U.S. District Court for the Northern District of California last Friday.

Abdulaziz claims that Twitter mistakenly hired Al Alzabarah, a KSA agent whose mission was to dig up information on Abdulaziz and fellow opposition activists. Twitter reportedly promoted Alzabarah to an engineer, where he gained access to sensitive user data. The lawsuit claims the alleged spy gained access to Abdulaziz's Twitter password, private email address and telephone number, as well as insights on his social connections.

Despite Twitter's role in the Arab Spring, Twitter jeopardized Abdulaziz's privacy when it "did not investigate potential employees' political alliances or connections to foreign governments to determine whether such potential hires would abuse their positions to hack into the private and sensitive data of Twitter's users," wrote plaintiff's counsel Mark Kleiman of Kleiman/Rajaram in Venice, California, and Ben Gharagozli of Ben Gharagozli Law Offices in Marina del Rey, California.

Abdulaziz is accusing Twitter of invasion of privacy and violating the Stored Communications Act by essentially ratifying its former employee Alzabarah's actions. "In hacking into and accessing Plaintiff's confidential Twitter information, Alzabarah intentionally exceeded his authorization to access that facility and thereby authorized access to electronic communication while it was in electronic storage," write Kleiman and Gharagozli.

Twitter did not respond to a request for comment Friday regarding this complaint, nor did it provide comment for a story The New York Times published regarding the incident in 2018.

Twitter found out Alzabarah was accessing and transmitting confidential information in 2015, and fired him after an investigation into activities, according to the complaint. Later that year, Twitter issued a notice to several dozen accounts that the alleged KSA agent hacked, writing "As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors," according to the complaint.

Abdulaziz contends he never got that message. Instead, a year later, Abdulaziz said he received a message from Twitter saying that the company "recently learned about—and immediately fixed—a bug that affected our password recovery systems for about 24 hours last week."

The case has been assigned to Magistrate Judge Laurel Beeler, who earlier this year threw out two lawsuits suing Twitter and Facebook for failing to address terrorist activity on their platforms in connection to the 2015 San Bernadino mass shooting.

On the Radar

Musk's 'Stupid' Case U.S. Magistrate Judge Jacqueline Scott Corley did not seem to be amused with the facts of the case surrounding a defamation suit against Elon Musk over his Twitter comment calling cave diver Vernon Unsworth a "pedo guy." Corley said toward the end of Thursday's hearing over whether Musk could depose Buzzfeed reporter Ryan Mac, who reported on the conflict, that "everything about this case turns out to be stupid." Musk might not even disagree with that sentiment. Although Musk's Quinn Emanuel Urquhart & Sullivan counsel argued for deposing Mac about his decision to publish emails Musk contends were off the record or on deep background, Mac's lawyer, Katherine Bolger of Davis Wright Tremaine, noted that Musk has said in his deposition that he was "a fucking idiot" for sending Mac the emails. Corley questioned the relevance Mac's deposition would offer for Musk's case but said his testimony could be relevant to Unsworth's defamation claims. Read more from Ross Todd here.

Law Firm Vendors Need to Lock it Down Third-party vendors are often the source of law firm data breaches, a Law.com investigative report reveals. External breaches, such as phishing, hacking and vendor incidents, were the most common point of exposure for breaches, according to records from more than a dozen states. Stolen or lost devices were the second most common type of security incidents reported by law firms. Read more from Christine Simmons, Xiumei Dong and Ben Hancock here.

Amazon's Full-Service IP Partner In a group dominated by small IP shops, brick-and-mortarless operation FisherBroyles is the only full-service firm in Amazon's IP accelerator. The IP accelerator aims to streamline trademark registration for sellers on Amazon.com, and the 250-attorney firm is one of 11 fixed-fee IP service providers working with the platform. As a virtual firm, the company "fit right in" because it is able to offer more "boutique-type rates." In the first few weeks of participating, FisherBroyles has already received several hundred inquires from sellers. Read more from Dan Packel here.

Thanks for reading. We will be back next week with more What's Next.