Data Series: Encryption – The Protection of Data by Technological Means

by Bram Van Wiele

41587398905_0659b24665_o

This blogpost is the second in a series on the protection of data and databases. The previous blog post provides a broad discussion on the intellectual property protection of data and data bases in South Africa. The present article looks at the issue of protection of data from a different angle and examines data protection by technological means, in particular through encryption.

Encryption is the process of encoding any type of data in such a way that only parties with access to a decryption key can access its readable content. It does not prevent interception and interference of the encoded data but prevents access to the intelligible content. Encryption is a particular feature of the digital environment. For example, popular messaging service WhatsApp started protecting messages sent via its platform through end-to-end encryption in 2016, preventing third parties from accessing the intelligible content of the messages while being transferred. Encryptions are becoming increasingly difficult to hack, and this has incited a debate over whether privacy should trump security.

Provisions relating to encryption can be found in several pieces of South African legislation. The Electronic Communications and Transactions Act 25 of 2002, for instance, establishes a register of all cryptography providers, and cryptography products can only be provided once a cryptography provider has been registered. The Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002 allows for application to be made to a judge for a “decryption order”. This order would compel an individual or provider who has a decryption key to provide such key to the applicant, subject to severe fines or even imprisonment in cases of non-compliance.

Encryption, and the question whether governments should have powers to circumvent encryption, have received much media attention. For instance, in the wake of the San Bernardino shooting, the FBI requested Apple to assist to unlock the gunman’s iPhone in order to access data that was cryptographically stored on the device. While Apple refused to cooperate with the authorities, authorities allegedly were able to hack the phones eventually and bypass encryption. Increasingly, law enforcement agencies encounter encrypted data they cannot access, and to conclude investigations and prosecutions, these agencies request, for instance, cell phone providers to provide them with access keys or to facilitate built-in backdoor access.

In the last years, national lawmakers have proposed legislation that would allow governments the ability to hack encrypted communications and data. Australia for instance, released in August of this year a draft bill on encryption. This draft legislation, once enacted, would grant law enforcement exceptional access under warrant to the encrypted data of suspects of various crimes. The granting of such new powers has been met with criticism, including from privacy experts, industry groups and civil liberties advocates. They emphasise the lack of judicial oversight and put forward privacy concerns.Indeed, encryption raises the fundamental issue about privacy and freedom of expression. In many respects the digital environment together with encryption has strengthened freedom of expression by providing more mains the communicate freely, securely and anonymously.  Breaking encrypted data, and thus infringing on privacy and freedom of expression, is being presented as a necessary means to combat terrorism and other organised crime. However, it is important that one questions and challenges the narrative that these rights and security are incompatible. This tension will be discussed in a later post.

The next piece in this series will address whether and in what circumstances data is illegible for intellectual property protection.