Q&A: Stanford's Riana Pfefferkorn on 'Responsible Encryption'
Stanford Law cryptography fellow Riana Pfefferkorn talks about the Department of Justice's new push for “responsible encryption” and whether it could lead to new legislation.
November 15, 2017 at 04:30 PM
15 minute read
SAN FRANCISCO — It's been two years since the very public showdown between Apple and the FBI over encryption, in a legal battle that ultimately ended without much of a resolution. Now, a standoff in the “crypto wars” appears to again be looming.
In this excerpt from an interview on Law.com's “Unprecedented” podcast, Stanford Law cryptography fellow Riana Pfefferkorn talks about the Department of Justice's new push for “responsible encryption” and whether it could lead to new legislation. Listen to the full interview here, or subscribe to “Unprecedented” on your Apple or Android device.
If you're in the Bay Area, you can catch Pfefferkorn speak about the crypto wars on Wednesday night at an event hosted in Oakland by Ars Technica.
This transcript has been edited for length and clarity.
Ben Hancock: You wrote in a blog post several weeks ago about “responsible encryption” and how the phrase was used by Deputy Attorney General Rod Rosenstein. Tell me about that speech and what struck you about that.
Riana Pfefferkorn: This was a speech that the deputy attorney general made to the Naval Academy a few weeks ago, and there were a few things that I found kind of noteworthy about that. One was this was really the first place I think we've seen the use of this term “responsible encryption.” Now, we've heard it before, going all the way back to then-FBI Director Louis Freeh back in the mid-90s, when he referred to “socially responsible encryption” during the previous round of the crypto wars, when at that time, the DOJ and FBI were already sounding the alarm about communications “going dark” due to new technologies, including encryption. But the U.S. Naval Academy speech was the first place where we've seen a term that the deputy attorney general has now been using quite frequently, “responsible encryption.”
Perhaps most noteworthy about that speech, though, were these sort of dark intonations from Rosenstein that there had been conversations between law enforcement and technology companies to try and, I guess, persuade companies to make their encryption designs law enforcement-friendlier, but that the companies hadn't been responsive to this. And so, what he seemed to be saying in his speech is, “The time for talking is over, we're going to need to legislate, because [tech companies] are not going to make any changes unless we force their hand.”
In a time where the winds have shifted to really be not as friendly to Silicon Valley, and where large tech companies are no longer really seen as necessarily being on the side of their users, I think this a point where Rosenstein and his colleagues really smell blood in the water.
There's another point in Rosenstein's speech that you flagged, which is that tech companies have been willing to play ball with governments such as Russia and China. Do you feel like companies have put themselves in a difficult position to argue against “responsible encryption” because of what they've done to do business overseas?
I think it's a fair point. And out of the many points of disagreement that I have with Mr. Rosenstein, when he points out that companies have submitted to security reviews by China or allowed Russia to do audits of their source code — or when they've helped out with censorship, or helped regimes persecute journalists in the past — this does open those companies up to the criticism that, when they go out and say, “We're pro-users, we're on the side of our users' privacy and our users' security,” that that can ring a little bit hollow.
So he does sort of have a point to say that companies have opened themselves up to this kind of criticism. But at the same time, it's sort of salacious in that it's saying, “Well, if you'll comply with laws that are terrible ideas in other countries — like submitting to source code reviews by governments that have been tampering with our own elections in recent years, for example — then why don't we just pass our own terrible-idea law that mandates backdoors, and then you can go and comply with that because you've shown that you'll comply with any old stupid law.” I don't think that necessarily follows.
You said that if legislation is introduced, it won't necessarily look like the Compliance with Court Orders Act. What would you expect it to look like?
It's difficult to say what it would actually look like. Every time that the deputy attorney general has gone and spoken in public, he's really sort of demurred on specifying what a regulation would look like, just [saying] that it should serve the ultimate purpose of giving law enforcement access to plain text data. And he's also sort of muddied the waters a little bit in terms of whether he's asking for a regulation that would only deal with communications in transit, or for encryption on smartphones or other devices encrypted at rest.
Most of the bills that we saw floated at the congressional level and in a few states a couple of years ago mostly dealt with smartphones as a not-so-subtle being aimed at Apple and Apple's phones. But I think if there were some sort of law in place, it would sort of not make sense for it to only target data at rest. I think that we try to target both communications encryption and encryption for data at rest, which opens up a Pandora's box of problems. Are you trying to get at the Signals of the world, or are you saying we can't encrypt web traffic anymore? And does that undermine all of e-commerce?
You were previously an attorney at Wilson Sonsini Goodrich & Rosati, advising tech companies. Putting that hat on again, what would you advise tech companies to do amid this debate now?
It would depend on which company we're talking about. A big company and a small company are going to be in different positions in terms of what's possible for them to implement and administer. A company that sort of comes at the issue from a bit more ideological backing, like the makers of Signal, might have a different tolerance for spoiling for a fight than a larger, more established, blue-chip publicly traded company. Whether they're public or not would also come into the picture a lot, because public companies don't just have to be answerable to their users, when you're public you have to be answerable to your stockholders.
But one thing I would just remind companies is that they are at liberty to design their encryption however they want to. The law permits them to do that. They do not have to make encryption that is accessible by law enforcement, they do not have to make surveillance-friendly encryption.
SAN FRANCISCO — It's been two years since the very public showdown between
In this excerpt from an interview on Law.com's “Unprecedented” podcast, Stanford Law cryptography fellow Riana Pfefferkorn talks about the Department of Justice's new push for “responsible encryption” and whether it could lead to new legislation. Listen to the full interview here, or subscribe to “Unprecedented” on your Apple or Android device.
If you're in the Bay Area, you can catch Pfefferkorn speak about the crypto wars on Wednesday night at an event hosted in Oakland by Ars Technica.
This transcript has been edited for length and clarity.
Ben Hancock: You wrote in a blog post several weeks ago about “responsible encryption” and how the phrase was used by Deputy Attorney General Rod Rosenstein. Tell me about that speech and what struck you about that.
Riana Pfefferkorn: This was a speech that the deputy attorney general made to the Naval Academy a few weeks ago, and there were a few things that I found kind of noteworthy about that. One was this was really the first place I think we've seen the use of this term “responsible encryption.” Now, we've heard it before, going all the way back to then-FBI Director Louis Freeh back in the mid-90s, when he referred to “socially responsible encryption” during the previous round of the crypto wars, when at that time, the DOJ and FBI were already sounding the alarm about communications “going dark” due to new technologies, including encryption. But the U.S. Naval Academy speech was the first place where we've seen a term that the deputy attorney general has now been using quite frequently, “responsible encryption.”
Perhaps most noteworthy about that speech, though, were these sort of dark intonations from Rosenstein that there had been conversations between law enforcement and technology companies to try and, I guess, persuade companies to make their encryption designs law enforcement-friendlier, but that the companies hadn't been responsive to this. And so, what he seemed to be saying in his speech is, “The time for talking is over, we're going to need to legislate, because [tech companies] are not going to make any changes unless we force their hand.”
In a time where the winds have shifted to really be not as friendly to Silicon Valley, and where large tech companies are no longer really seen as necessarily being on the side of their users, I think this a point where Rosenstein and his colleagues really smell blood in the water.
There's another point in Rosenstein's speech that you flagged, which is that tech companies have been willing to play ball with governments such as Russia and China. Do you feel like companies have put themselves in a difficult position to argue against “responsible encryption” because of what they've done to do business overseas?
I think it's a fair point. And out of the many points of disagreement that I have with Mr. Rosenstein, when he points out that companies have submitted to security reviews by China or allowed Russia to do audits of their source code — or when they've helped out with censorship, or helped regimes persecute journalists in the past — this does open those companies up to the criticism that, when they go out and say, “We're pro-users, we're on the side of our users' privacy and our users' security,” that that can ring a little bit hollow.
So he does sort of have a point to say that companies have opened themselves up to this kind of criticism. But at the same time, it's sort of salacious in that it's saying, “Well, if you'll comply with laws that are terrible ideas in other countries — like submitting to source code reviews by governments that have been tampering with our own elections in recent years, for example — then why don't we just pass our own terrible-idea law that mandates backdoors, and then you can go and comply with that because you've shown that you'll comply with any old stupid law.” I don't think that necessarily follows.
You said that if legislation is introduced, it won't necessarily look like the Compliance with Court Orders Act. What would you expect it to look like?
It's difficult to say what it would actually look like. Every time that the deputy attorney general has gone and spoken in public, he's really sort of demurred on specifying what a regulation would look like, just [saying] that it should serve the ultimate purpose of giving law enforcement access to plain text data. And he's also sort of muddied the waters a little bit in terms of whether he's asking for a regulation that would only deal with communications in transit, or for encryption on smartphones or other devices encrypted at rest.
Most of the bills that we saw floated at the congressional level and in a few states a couple of years ago mostly dealt with smartphones as a not-so-subtle being aimed at
You were previously an attorney at
It would depend on which company we're talking about. A big company and a small company are going to be in different positions in terms of what's possible for them to implement and administer. A company that sort of comes at the issue from a bit more ideological backing, like the makers of Signal, might have a different tolerance for spoiling for a fight than a larger, more established, blue-chip publicly traded company. Whether they're public or not would also come into the picture a lot, because public companies don't just have to be answerable to their users, when you're public you have to be answerable to your stockholders.
But one thing I would just remind companies is that they are at liberty to design their encryption however they want to. The law permits them to do that. They do not have to make encryption that is accessible by law enforcement, they do not have to make surveillance-friendly encryption.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
How I Made Practice Group Chair: 'Think About Why You Want the Role, Because It Is Not an Easy Job,' Says Aaron Rubin of Morrison Foerster
Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
19 minute read
'The Front Line of Regulating AI': Manatt's Brandon Reilly on CPPA's Move to Adopt New Data Broker and AI Rules
Litigation Leaders: Laura Hoey of Ropes & Gray on Bringing an Industry Focus to Litigation Matters
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
