Episode #1: Clouds, Backdoors, Secrecy Orders, and the Lawful Access to Encrypted Data Act

Podcast Transcript: 

Bill Tolson:

Welcome to the Archive360 Podcast titled Clouds, Backdoors, Secrecy Orders, and the Lawful Access to Encrypted Data Act. With me today for this podcast is James McCarthy or Jim, chief compliance officer and general counsel for Archive360. And my name is Bill Tolson, I'm the VP of compliance and e-discovery here at Archive360. In this podcast, Jim and I are going to address the questions, issues around this new bill and potentially some additional content around the Cloud Act, but questions and issues including how this current and any new potential laws, and this one we just mentioned is a potential law, it's not law in effect yet, but how this could or will affect how both US-based and non-US-based companies store their data in the cloud and what are those challenges or issues that they're going to be looking at when it comes to talking to vendors.

Bill Tolson:

And then we'll get into how the new Senate bill would affect the use of US-based corporate cloud storage repositories, which obviously is near and dear to our hearts. And then what is a secrecy warrant? And what does it mean for companies with sensitive data stored in third-party clouds? And this is really interesting and I think we could probably talk a day on that one by itself. But it's a issue that both of us have had potential clients bring up. So we'll get into that a little bit. And then finally, what companies can do to protect their sensitive information from government overreach and secrecy warrants and all of these kinds of things.

Bill Tolson:

So with that, let's get started. US Senate recently introduced a bill, it's not a law yet, but it's a bill in the Senate titled the Lawful Access to Encrypted Data Act. And this bill if passed, would make it illegal for cloud providers as well as electronic device makers to deny data access to client data by government agencies, either federal, state, or local. And when I talk about device makers, the one that I think most people would recognize is the problems Apple with the iPhone had over the last several years in not providing access to the FBI and others when it comes to them wanting to get into encrypted phones. So this Lawful Access to Encrypted Data Act is really interesting. Don't know if it's actually going to make it through the Senate or through the Senate and the House but I think we've all been expecting this.

Bill Tolson:

Additionally, this is related in certain ways to the Cloud Act, which was passed in 2018 and actually is law. And the Cloud Act actually creates a new subsection of the Stored Communications Act as well as the Wiretap Act to allow federal law enforcement to compel US-based technology companies via a warrant or subpoena to provide requested data stored on servers, regardless of where the data is stored in the US or on foreign soil. And I think, Jim, the one that most people recognize here is the Microsoft lawsuit in reference to I think it was the attorney general of the United States asking for data.

James McCarthy:

I think that anytime you're evaluating these types of bills, it's important to balance the competing interests on either side. In this particular bill that was advanced by senators, Graham, Blackburn, and Cotton, they wanted to ensure that we have a robust law enforcement with the tools necessary to investigate, track down, and prosecute bad actors. And when proposing the law, they often cite terrorists or traffickers of children and other very bad actors. And of course, we want that, we want to have a law enforcement mechanism that is able to do those things. But at what cost? That's really the question that we're looking at here.

James McCarthy:

We heard some impact from this proposal from July of this year. And on the other side of that point, the senator's point in law enforcement tools is people who are very concerned that this is a, make no mistake about it, crystal clear ban on providers from offering end-to-end encryption in online services that simply cannot be unlocked for law enforcement. So that's the two sides of this particular debate when we're talking about this act. There is the side which promotes robust law enforcement against the ability of providers to provide state-of-the-art end-to-end encryption and services to their customers.

Bill Tolson:

Well, and that's a really interesting point. And I think we need to focus in a little bit and draw a line here. And I agree with what you just said, the bill tries to make it so that providers, whether they be cloud storage providers or electronic device makers, are not creating a situation where the data cannot be retrieved through that provider. But it doesn't, and tell me if I'm wrong, but it does not stop the data owner from encrypting their own data correct?

James McCarthy:

It does not presently. I don't think candidly that this act, if you read the legislative history on it, contemplated that there would be an ability of customers to let's say, field encrypt their data before it goes to the cloud.

Bill Tolson:

Right. So, Jim, you've looked at this bill, the Lawful Access To Encrypted Data Act, again, just introduced in the Senate, in some depth and actually so have I. What are the main points of the bill that are causing companies to rethink where they store their data and the kinds of security that they must have around that data to keep their chief information security officers and so forth satisfied?

James McCarthy:

I think that the two main points of this bill that are causing security officers a lot of concern is one, the fact that the US government is essentially demanding companies to provide either a key escrow or an encryption backdoor to its proprietary software applications. And in doing so, and we understand full well, Bill, that we want robust law enforcement tools, but if we just focus on the backdoors for a moment, this creates a major target because it is not just the government that will be able to get this backdoor. And let's presume that the government's track record of holding things in competence is a different and that there is no exposure from government authorities once this backdoor is created, there's also very large concern that other actors could get access to these backdoors. And the concern for companies is simple, with these backdoors, I can access your bank account information, Bill, I can access your passwords, your credentials, everything that you do online. And since we're living more of our lives online, the impact of that kind of access can't be understated.

Bill Tolson:

Yeah, that's a great point. I think it's almost a universal fact that if a backdoor exists into a device or into a cloud or technology, then probably 15 minutes after it's actually introduced, hackers are going to be through it. And that's what worries chief information security officers is, it might be done with a great intention of stopping terrorism and all this other kind of stuff. But the fact that a backdoor is created means that somebody and probably a lot of people very shortly after will be able to get in and start hacking into, for example, these cloud repositories where all of the sensitive data is kept.

Bill Tolson:

And we all know what kind of sensitive data we're talking about. It's IP, it's M&A activity, it's revenue-based. It's anything and everything that hackers go after now, they will be able to get into and misuse obviously. And lately, Archive360 has been talking a lot about the rise of these different new types of ransomware where hackers will get in and encrypt the data so that the company can't use it. But they're also stealing the data and threatening to release it on the internet if their ransoms are not paid. And all a backdoor does is make it easier for these people, these hackers to do it. And I think that's one of the main issues that most companies have with this bill.

Bill Tolson:

Secondly, the bill itself, and I've read it a couple of times and I'm sure you have too, Jim, it is a bill targeted at service providers not end user clients. So I've read it with this particular in mind. It does not say that an individual company or user who owns the data cannot protect their data and encrypted it. Right now, that's probably a bridge too far, I think, and no one would go for that, maybe someday, but not right now. But what they're saying is we want device manufacturers and service providers to provide a way in for the government. And it could be any government agency that has the appropriate court approval to go in and look at data. And as we get into talking about secrecy orders, in many cases the data owner, the company who owns the data, who store it in the cloud would not know that their data has been reviewed by a government agency.

James McCarthy:

That's correct. Bill, I didn't know if that is common knowledge. But when, let's say, Apple is subpoenaed by the US government, when a secrecy order is issued, that means Apple may not even tell its customer that its data has been revealed to the governmental authorities. And you can certainly see both sides of that issue as well. You do not want to tip off a bad actor that there is an investigation being made against him or her. And the other concern on the other side is that there's serious privacy issues. That if Apple's customers knew that their data could be provided without their knowledge like this, maybe those customers would be less likely to use those services from Apple.

Bill Tolson:

Yeah, and apple would lose business and that's why they fought so hard. And that's why other companies as well, not just Apple, but other companies as well have fought so hard because even people who don't have criminal intent want their data protected from hackers and ransomware and all these kinds of things. And we have read stories over the last several years about potential agency misuse of data and warrants. So it has to become a much bigger issue. And we're talking about secrecy warrants here especially. And that's one of the issues that many clients bring up with us and I'm sure others when they're talking about a given cloud repository. Number one, what's your security levels? What's your stance on... Do you fight a government secrecy order or do you just go with it? And I, the data owner will never know that their data has been reviewed. And then, Jim, that's like you said, a secrecy order basically says that give us access to Archive360's data, and by the way, it's against the law for you to tell them that we've accessed the data and copied it.

James McCarthy:

Right. Bill, picking up with something you had mentioned a moment ago, this act is limited as far as who it's directed at. Its Genesis was the dispute that Apple had with law enforcement when the San Bernardino terrorist attack occurred and they were having difficulty getting into one of the terrorist's phone to find co-conspirators. And that was a legal battle that raged on. But what you said earlier struck a chord, what that was was that this bill nor any other piece of legislation to my knowledge is directed at individual customers who may want to encrypt their data before it is migrated into the cloud for just this reason. If you are an enterprise customer and you're looking at the way the pendulum is swinging towards these types of laws, now giving law enforcement these tools, maybe you want to be proactive, maybe you want to in fact make sure that your data is hardened before it gets to your cloud service provider. And thereby any type of backdoor or key escrow that these laws come up with would be rendered moot because of that, that the customer has already taken proactive steps to cordon its data.

Bill Tolson:

That's a great point. And that is the one capability that individuals and companies have to protect their data from this kind of action. And again, we're not saying that the act is evil or anything else, it's basically, we all know the reasoning behind it, and in certain cases it makes a lot of sense. But lots of security people in companies, they're tasked with protecting, securing their data and having the ability for some entity, whether it be the government or hackers or whatever else get access to it makes them nervous. Just think about what health-care chief security officers are worrying about with HIPAA and all the secrecy requirements around it, or privacy requirements around it, and the potential gigantic fines that can go along with this kind of stuff.

Bill Tolson:

So one of the only answers against this kind of potential activity and laws that support it is actually encrypting your data with your own encryption keys and keeping those key secrets. So you might have a bunch of sensitive data up in cloud ABC and if an intelligence agency comes to to the clouds legal department and says, hey, we have a secrecy order here, we need this data. We need access to the data right now. And, oh, by the way, if you the cloud provider have encrypted this data, you must decrypt it for us and give us access and let us view it and potentially let us copy it. And if that data was encrypted by the data owner, who has their keys stored separately, for example on premise, then that order, that secrecy order really goes nowhere because the cloud provider cannot decrypt the data.

James McCarthy:

That's entirely true Bill. And let's get into that even further. Suppose that you believe that sophisticated criminals and sophisticated hackers know what we know, what may use or adapt the strongest state-of-the-art encryption to protect their data just in the exact same way? And that's one of the arguments for this law really being not able to achieve what it was intended to do. There's a fair argument to be made that this act will really only harm law abiding individuals because the very sophisticated hackers will know exactly what to do to keep their data protected from law enforcement, even if this act is passed.

Bill Tolson:

Yeah, that's a great point. And that's an obvious reality that most lawmakers don't necessarily take into account. I don't think in most cases you can ever get people to believe that politicians are technologically proficient. So a lot of these laws come out with obvious kind of question marks like, well, what do you do in this? And couldn't you get around it in that? And their first attempts, hopefully during the process of bringing the bill into a law, they bring in a lot more technical people to really look at the actual realities. But again, we're getting clients particularly asking us, can I designate a part of the world where I want the data stored versus it being stored in the United States so it's not accessible via the Cloud Act for example, or the Stored Communications Act to either e-discovery requests or to secrecy warrants? And that falls into the whole idea of the Privacy Act being invalidated and EU companies being very reticent about transferring personal information to the United States because the US companies cannot guarantee that they won't be forced to give up the data to a legal e-discovery request or warrant.

James McCarthy:

Yeah. And that is always the other rub in this, is that when our law enforcement tools become more effective, businesses that transact business overseas, in different [inaudible 00:21:24] that have different priorities for privacy, it really puts American businesses at a disadvantage because as you saw the recent trends to decision the fact that our law enforcement has such a long reach has caused the directives and these privacy groups to lobby their governments and to have these kinds of restrictions on US businesses that puts us behind the [inaudible 00:22:04].

Bill Tolson:

Well, and this discussion we've had over the last minute or so brings up a question I've been curious about. Is it against the law, US law, for companies to purposely direct their data to be stored outside the US specifically to avoid the particular issues?

James McCarthy:

There are export control laws regarding certain assets, that would include intellectual property. But as a private citizen, if I'd wanted my data stored in Ireland, for example, there would be no restriction on me from doing that provided I wasn't transporting certain assets.

Bill Tolson:

Yeah. And I would assume also that it couldn't be proven down the line that you were moving data that was involved in potential illegal activities to be hidden that way. That's like almost destruction of evidence right?

James McCarthy:

Right. I couldn't conceal any actions of a crime or potential crime by doing that. But if I just had privacy concerns that I wanted to be beyond the reach of these types of laws, I don't know any particular law that restricts me from having my personal information kept abroad.

Bill Tolson:

Well, and that brings up the Microsoft, Department of Justice case. And the idea that in that case, tell me if I'm wrong, Jim, in that case, data was being stored on Microsoft cloud servers in Ireland. And the entities within the US were basically as part of a legal case demanding that data be transferred, even though Irish law basically says you couldn't do that. And that was the basis for the introduction of the Cloud Act that basically made it illegal for companies, in this case it would be Microsoft, to make it illegal for them not to turn over the data even though the Irish country's laws basically stipulated that you couldn't.

James McCarthy:

Yeah, this was a very interesting case for the subpoena being handed to Microsoft in New York and the second circuit taking this case up to almost the top of the heat. And ultimately, Microsoft pushed back on the subpoena and prevailed. And the court's ultimate finding was that this Facebook account in Ireland, or of an Irish national, that was sought to be revealed via a New York subpoena could not be done. The mere fact that Microsoft was able to access it in New York at its offices did not mean that data was properly within the New York office's control. And it did not deprive that Irish national of his privacy rights to his Facebook account. So that was an interesting case because of the extra territorial impact of that law. And that's another thing here though, is that at some point in time, your ability to legislate and to have that legislation reach across into other countries is very interesting. Where does data live? Is it anywhere it can be accessed or where it's initially placed? Intriguing questions.

Bill Tolson:

Yeah. Great questions. Obviously more is going to follow. Microsoft were put in a very difficult position. And Microsoft, I think for a year or two actually fought the order. And I think eventually because the Cloud Act was under way, they finally relented. But it raises that interesting question like you just said, where does the data actually exist and who has access to it? If anybody with the right access controls, no matter where they are in the world, can access it, is it actually secured per that country's laws?

James McCarthy:

Yeah, I do think that the Cloud Act was forged out of necessity and it was fast track after that cross-border conflict erupted that we were just talking about. And Microsoft suit, even though that was in effect negated because the Supreme Court was poised to make a decision in that case after oral argument in early 2018. And this was a catalyst for the passage of the Cloud Act. And I think at that point in time, it was a compromise that provided for a mechanism for courts to be able to decide whether or not certain data that was originated abroad could be subject to a US subpoena. But understand this though, with the Cloud Act, there's also a mechanism for other governments to access, let's say, American citizen information in this [inaudible 00:28:17] manner. And if that, one could argue that the Cloud Act made it easier for foreign governments to obtain US citizen data by virtually the Cloud Act. Before the Cloud Act, governments would have to go through an old and bulky mechanism to get this information. And now it's been made relatively straightforward with the Cloud Act.

Bill Tolson:

Well, and that brings up the overall basis of this podcast. What can you do to better protect against some of these issues that we've just talked about? And we actually already mentioned it, this idea of taking more control of your company's data security by potentially encrypting your data yourselves before you move it up into the cloud instead of relying on say a SaaS cloud provider to encrypt your data and you feel safe. That's really the issue because that cloud provider has the encryption keys and a government can say, decrypt it for me and let me see it. If they don't have the decryption keys, then whoever is in control of that secrecy warrant must come to the company and say, we want your data. And obviously it wouldn't be secret then because for them to get the data, number one, you're going to have to turn it over, but you're also going to have to provide the encryption key.

Bill Tolson:

And I've heard secrecy and privacy experts say the same thing. Really, the only way to protect against it now is to do your own encryption before moving it into the cloud. And obviously we are talking about it here at Archive360 because we have that ability in our archive to Azure information management, marketing cloud, to allow for data before it's moved into the cloud tenancy to be encrypted on site and the encryption keys to be kept and secured sites so that secrecy warrants and other governmental intrusions into the data would be much more out in the open and harder to get versus the way that most cloud technologies are set up now.

James McCarthy:

I agree. This conversation does circle back to that time and again, Bill. That take control of your own data, encrypt it before the cloud provider has access to your data.

Bill Tolson:

That is really the only way to solve it right now. And probably in the future going forward, unless there's some really wild new technology that comes out, that's really what needs to be done. So when you're talking to a potential archiving vendor, a basic requirement would be, I need to be able to encrypt my data and keep my own encryption keys onsite before the data is moved up into whatever cloud.

James McCarthy:

Yeah. And to be clear, Bill, this is not a prescription on how to avoid law enforcement, no. What I think that the primary benefit behind encrypting your data first is to avoid things that happen every day. For example, if Capital One had encrypted its customer data prior to a wayward Amazon employee exposing over 100,000 accounts that, would have made everyone's life a lot easier a few years ago. So this is not about avoiding law enforcement, this is about protecting your data before it's exposed in cloud situations.

Bill Tolson:

No, that's a great point. Like you say, we're not trying to stop the legal access of data, we're just trying to make it a little, number one, more out in the open. But also encrypting your data before it goes into the cloud means that ransomware and hackers and all this kind of stuff are not going to be able to access the data. So you're protecting yourselves from those kinds of things. Well, Jim, I think that wraps up this podcast. If anyone has questions on this topic, please send an email, mentioning this podcast to info@archive360.com and we'll get back to you with some answers. The next podcast in our series, we'll discuss the coming COVID inspired litigation and what that means for corporate information management requirements. Jim and I will be posting additional podcasts on a wide range of related subjects. So keep an eye out for new postings. Thank you all.

James McCarthy:

Bill, it was good speaking with you today. Talk to you then.