As I’ve always said, “We don’t want the relationship between companies and government to be without tension; we want friction”. Actually, Anupam Chander said this at Monday’s privacy lecture at Berkeley, but it’s the kind of statement that I wish I’d said. This idea of an optimum level of friction is a good frame of reference at a time when law enforcement and companies trade words as to whether encryption will create the “phone of choice for the pedophile” or simply mean that “privacy doesn’t stop because of a government information request”.
At the same lecture, James Aquilina of Stroz Friedberg noted that a great travesty of the Snowden revelations was that it destroyed the relationship between government and companies. He explained that the trust built after 9/11 has been completely eroded and the relationship destroyed. The problem with this relationship breakdown is that the public still expects the government to be able to protect them. While this might seem to be at odds with Chander's statement, I think that these statements can actually be seen as reflecting questions about how much tension there should be.
Much of our legal and political system is based on the idea that the best outcome is achieved when opponents representing different sides of a debate are able to battle it out; the separation of powers between executive, legislature, and judiciary; the adversarial court process; and the halls of Congress all rely on the tension between opposing views. While I wouldn’t advocate for a relationship based on the level of tension within Congress, we also don’t want tech companies to be the government’s lapdogs. It’s hard to know where the right line is on facilitating legitimate government investigations and ensuring individuals’ right to privacy.
Twitter’s new legal fight to publish full transparency figures reminds us that the right level of tension can’t necessarily be quietly negotiated. Instead, it may need to be lobbied and litigated. This is particularly important when legislative change is glacially slow. Where does this leave smaller companies, who don’t necessarily have the deep pockets to fight it out in court? I’ve had conversations with a small, very pro-user tech company where the C-suite has agreed that if they get a national security letter, they’ll close their US operations rather than hand over the data. But this isn’t an approach that many companies would be willing or able to take.
As a baseline, companies of all sizes should insist on a search warrant (or the appropriate legal process under the Electronic Communications Privacy Act) before handing over user data and notify users (wherever permitted). Companies should be proactive in their own privacy policies and procedures, paying attention to what personal information they’re collecting and storing, where they store it, and with whom they share it for commercial purposes. Whereas the US Government has been happy to overlook the rights of non-US persons, companies that operate in the global marketplace should take a principled approach to all users (see my explanation of the glaring gaps in ECPA with respect to foreign government requests). And if you happen to have deeper pockets and in-house legal support, consider having your day in court.
At the moment, we’re headed back into another round of the cryptowars between government and industry. Hopefully we will soon be able to reach some kind of détente where we have a set of clearer, more appropriate boundaries for where privacy ends and legitimate government access begins. In the meantime, let’s not shy away from a good fight.