Throughout its fight with the FBI over unlocking iPhones, Apple has said that lawmakers, not courts, should be the ones setting the course on encryption policy. This stance doesn’t come without risk, since there’s no guarantee that Congress would give Apple what it wants. Meanwhile, foreign lawmakers are threatening to muddy the waters even further. Recent actions in Europe and South America reveal the potential for a patchwork of varying national policies that could pose an impossible situation for global technology companies. How can they comply with differing, sometimes conflicting laws in the many countries in which they operate?
Discord is inevitable, argues Rob Knake, who served as director of cybersecurity for the White House from 2011 to 2015. He thinks the thorniest policy issues will arise with governments from countries that are close to the U.S. culturally and politically.
In Europe, law enforcement has generally counted on cooperation from the private sector in obtaining data for police investigations. Given that the sense of urgency over terrorism in Western Europe is particularly acute these days, it may be a bad time for tech companies to push back. “Will they really be able to hold out against pressure from other democracies?” asks Knake.
The test could come sooner than later. On Tuesday, French legislators voted overwhelmingly to advance a plan that would punish technology companies that don’t provide access to encrypted data. Under the proposed rules, tech executives could face fines and jail sentences. The bill is still several stages away from becoming law, but if passed, companies in Apple's position would have a range of unattractive options. They could create devices and services with the technical capability to comply with government data requests, an approach most seem to disdain. They could simply pull out of France altogether. Or they could keep operating and wait for a clash with local law enforcement.
Tensions over encryption are rising in other countries as well. Britain is currently considering sweeping changes to its surveillance legislation. When a new bill was introduced late last year, it drew criticism for not clarifying whether foreign companies would be required to provide access to encrypted communications. A recently-redrafted bill is no better, says Jens-Henrik Jeppesen, director of European Affairs for the Center for Democracy & Technology. “It doesn’t make it clear what exactly it is the government wants,” he said. “They certainly given themselves leeway to say to a communications provider, 'You’ve got to suspend this or that service because we can’t get what we want.'”
In Brazil, police recently detained a local Facebook executive because the company didn’t provide information related to a drug trafficking investigation. Last year, Brazilian police raided the home of a Microsoft executive who refused to turn over Skype data that was stored in the U.S., citing the same law. According to Microsoft, giving in to Brazilian demands would have violated American wiretapping laws. The company essentially had to choose which country's policies to violate.
As each country approaches data security, privacy, and encryption in a different way, it could become virtually impossible for global technology companies to adhere to all local laws simultaneously, says Knake. A similar dynamic is taking place over disputes about whether, say, Microsoft has to turn over emails it is storing in an Irish data center to the FBI. The U.S. says that Microsoft has to comply with a lawful request to produce the emails; the company argues that doing so would open it up to demands from foreign governments to share information stored in the U.S.
If the U.S. Congress does take up new legislation on encryption, the technology industry can be expected to put intense pressure on lawmakers to see things their way. In Europe, though, Silicon Valley’s lobbying is likely to hold less sway, says Jeppesen. American tech companies have come under fire in Europe for various perceived sins: anti-competitive behavior, tax evasion, business practices that suck the value out of local media.
European governments' lack of faith in Silicon Valley's ability to keep private information away from the U.S. government has raised the level of distrust even further. While Apple is focused on the FBI, the international situation it faces is only going to get more difficult, says David Fidler, a senior fellow at the Center for Applied Cybersecurity Research at Indiana University. “You think this is a problem?” he says. "Just wait until the other shoe drops.”