Time lawyers got to grips with encryption

Lawyers and lawmakers have a shaky grasp of encryption. The danger is that as the technology evolves, lawyers' understanding will fall even further behind, argues Jeremy Phillips.

Considering how important encryption is, the legal community as a whole knows little about it and understands it still less. Those involved in e-commerce are familiar with encryption as a secure means of enabling account details and payment particulars to be communicated over the publicly accessible internet.

Broadcasters appreciate its use as a means of depriving non-payers of the right to receive subscription-only transmissions. Makers of games consoles and software regard encryption as a convenient means of dividing markets and preventing even lawful use of their products in geographically disfavoured zones, while producers of bespoke and low-volume computer programs have seen it as a means of fending off both unwanted users and over-curious competitors.

Each of those perspectives may be valid, but do we need a wider view? Possibly because of the pervasive nature of encryption, we lose sight of its characteristics. Is it a way of implementing a data policy or is it a substitute for having one? Does it exist as a technical solution to a technical problem? Is it perhaps the handmaid of legal efficacy? Or is it a socio-political tool for the governance and control of an increasingly sophisticated electorate?

In truth it is all these things. Because of its many roles and uses, encryption has the characteristics of the chameleon.

Lack of clarity
From a lawyer's point of view, lack of clarity is frustrating. There is no all-embracing legal meaning of the term 'encryption', or of its counterpart, decryption. In some circumstances, failure to encrypt may be regarded as negligent or reckless; in other circumstances making the effort and meeting the expense of encryption is no guarantee that liability will be avoided.

Its use may enable a company to protect its business legitimately, or may raise issues of market division and unfair trading. And where official secrecy is at stake, issues such as national security, which craves secrecy — and the public interest, which so often abhors it — tug encryption in opposite directions.

As a commodity, encryption is also unfamiliar to most of us. Who owns encryption? No-one, of course, since it is merely a concept and, as such, not susceptible to ownership. Yet patents are available for specific means of encryption, while both software and algorithms may enjoy copyright protection as well.

Separate rights may also govern the content that is subject to encryption, whether in the form of traditional copyright for media packages such as films, games and broadcasts of sports events or in the form of data-protection rights for sensitive personal information and trade secrecy for industrially and commercially valuable know-how.

All this means that, at any point at which encrypted information is hacked into, leaked, lost completely or abused, that point marks the intersection of a variety of public and private rights and duties. There is no convenient way of saying which interest trumps the others.

Losing sight of the chameleon
When deciding how to respond to any encryption-related legal problem, civil and criminal courts are generally bound by imperatives that stem from bodies of jurisprudence that were evolved before today's technology-driven society emerged.

These imperatives include the rules for interpreting statutes — narrowly in criminal proceedings, more widely in civil actions — and second-guessing the intentions behind business deals, the achievement of justice in the individual case and the need for proportionality in the balancing of competing interests.

The chameleon adapts its colour to its surroundings and encryption adapts its utility in much the same way. Where the deployment of encryption, and the nature of its technical parameters, run sufficiently far ahead of the understanding of legislators and legal practitioners, the law may lose sight of this chameleon altogether. Perhaps now is the time to get more firmly to grips with it.

Jeremy Phillips, intellectual property consultant to law firm Olswang and professorial fellow at the Queen Mary Intellectual Property Research Institute, is a research director at the Intellectual Property Institute. He is a member of the IPKat and Datonomy blog teams.