weyo - Fotolia

RSAC16: US works on data access agreement with UK

The US is negotiating with the UK to establish a new framework that will permit UK authorities to access electronic communications directly from US companies

The US is working on an agreement to enable US companies with a presence in the UK to respond more easily to UK data access requests, the US attorney general has announced.

Law enforcement authorities around the world increasingly require access to electronic evidence from US companies that is often stored in the US, Loretta Lynch told RSA Conference 2016 in San Francisco.

“US companies often face conflicting and competing legal obligations when other governments require them to disclose information that US law prevents them disclosing,” she said. “They are caught, literally, in a bind.”

As well as harming US allies’ efforts to investigate terrorism and other serious crime, this has been a hardship for US companies, forcing them to choose between violating US or foreign law, said Lynch.

In an attempt to ease these burdens, while advancing public safety and protecting privacy and civil liberties, the US has begun negotiating with the UK to establish a new framework that will permit UK authorities to access electronic communications directly from US companies, where the investigation targets accounts not used by US citizens or other people living in the US, she said.

To qualify, Lynch said the UK government would have to agree to a number of provisions that are designed to protect privacy and fundamental rights, and a UK order would have to comply with UK law.

“This agreement we are working on will release US companies from conflicting legal obligations in clearly and carefully defined circumstances and would help one of our oldest allies to perform high-priority criminal investigations,” she said. This would not only protect UK citizens, but would also further US interests in an age of transnational crime and terrorism, she added.

The agreement is also designed to provide reciprocal benefits for US government data access requests to UK companies to assist US investigations.

Lynch said that if the agreement proves successful, it could pave the way for similar arrangements with other countries.

Protect privacy and civil liberties

But this replication will occur only if those other countries also adequately protect privacy and civil liberties, which in turn could encourage countries to improve their civil laws to enhance privacy protections to get the benefits of this arrangement, she said.

Although very beneficial to US companies, the arrangement would require Congressional action to take effect, said Lynch.

But based on conversations with communications companies, civil liberties groups, academics and information security professionals, she said she was optimistic that the US could take an important step that would benefit security, commerce, international co-operation and privacy.

“All these exist in the same world; all of these can be protected by people working together at the same time,” she said.

Read more about Apple’s row with the FBI

  • Apple CEO Tim Cook is getting support from technology and information security firms in his refusal to help the FBI to hack into an iPhone used by San Bernardino gunman Syed Rizwan Farook.
  • The US government is using a 1789 law to get Apple to help the FBI bypass encryption on an iPhone used by a suspect in the San Bernardino killing spree.

As well as working with its global counterparts, the US government is committed to working closely with the private sector, said Lynch.

“Just last week, the Department of Justice hosted a group of experts from some of America’s foremost tech companies for a discussion about how we could work together to effectively counter violent extremism,” she said, describing this as the “problem of the day” in the US national security framework.

But Lynch said this conversation would not be complete without discussing “going dark” issues, referring to challenges posed by the growing use of encryption by technology producers and online service providers.

Debate about encryption has recently been fuelled by Apple’s refusal to hack into an iPhone 5C running iOS9 used by San Bernardino gunman Syed Rizwan Farook.

Dangerous precedent

A US judge ordered Apple to create a custom firmware file to enable the FBI to bypass or disable the auto-erase function and brute-force crack Farook’s iPhone passcode, but the company said this would set a dangerous precedent.

Apple’s lawyers have also argued that forcing the company to comply with the order will infringe its constitutional rights.

Lynch appealed for continued open dialogue with Apple and other technology firms, lamenting that “until recently” Apple had maintained the ability to provide information to the government without any loss of safety or security of the data stored on its devices.

Providing carefully scripted answers to carefully scripted questions, Lynch dodged the issues of setting a precedent and threatening the security of all iPhone users, instead emphasising the importance of adhering to the requirements of law and of Apple returning to its long-established practice of helping law enforcement.

Commenting on this week’s ruling by the US District Court of Eastern New York that Apple did not have to unlock the iPhone of suspected drug trafficker Jun Feng despite the fact that the court had previously given the FBI a search warrant for the iPhone 5s running iOS 7, Lynch said she was “disappointed” by the ruling and would ask the court to reconsider.

Promised to help

According to Lynch, Apple had promised to help in the Feng case, just as it had done for many years, and she noted that this position changed only when the request concerning the San Bernardino gunman’s iPhone became public.

“The issue is not encryption, it is whether Apple will do what it has always done, and what any American company or citizen would do, and that is comply with the law and respond to a request from the government for assistance,” she said.

Responding to Apple’s argument that the order violates its Fifth and First Amendment constitutional rights, Lynch said the Fifth Amendment protects people from self-incrimination, but noted that Apple was not accused of any wrongdoing and, as a third party in the matter, there was no way it could incriminate itself.

Apple’s lawyers have argued that writing software is protected free expression, so forcing it to create new software would be “compelled speech and viewpoint discrimination in violation of the First Amendment”.

Very important topic

Lynch said this was a “very important topic for discussion” because it had ramifications far beyond the case of the San Bernardino gunman’s iPhone as to whether a company should be required to write code to help it comply with legal process.

“One question would be what is the intersection between free speech and commercial speech when talking about code, which are fascinating issues, but are not the issues that drive this case, and frankly they aren’t the issues that will drive how law enforcement works with the tech industry to resolve all these issues because we are relying on time-tested values of law and our obligation to protect the American people,” she said.

Lynch said she was surprised that a “great and innovative” company like Apple appeared to be unwilling to give any more thought to how it could protect its customers’ data, but at the same time help law enforcement with investigations, with the assistance of the courts, in a limited, focused way.

She said Apple CEO Tim Cook would get the opportunity to express his views in court, with a hearing on the matter scheduled for 22 March.

Read more on Privacy and data protection