from Net Politics and Digital and Cyberspace Policy Program

The Year in Review: Encryption and Privacy in 2016

CFR Cyber Net Politics Israel Finland Cybersecurity

December 27, 2016

CFR Cyber Net Politics Israel Finland Cybersecurity
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

More on:


Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations. 

There were a number of developments that shaped the encryption and digital privacy landscape this year.

It started off with a bang in February when the FBI successfully obtained a court order requiring Apple to build software to unlock the iPhone of one of the San Bernardino terrorists. That sparked a month-long debate among pundits, lawmakers, and civil society groups who lined up behind their respective champion and shouted invective at each other. Even then-candidate Donald Trump got in on the action, calling for a boycott of Apple in response to the tech giant’s unwillingness to comply with the order. The debate ended almost as quickly as it started when the FBI asked the court to rescind its order given that a third party had approached the agency with a proof of concept to get into the iPhone without Apple’s help.

Despite the intensity of the debate, it’s hard to gauge what impact it had, if any, toward finding a compromise between the law enforcement and civil liberties camps. Last year, this blog noted the ritualization of the encryption debate, whereby something bad happens, people yell at each other, the debate goes away, and nothing has been accomplished. The same thing happened this year. Bills were introduced into Congress, commissions were proposed, but nothing really happened.

During the Apple-FBI fight, the United States and Europe announced their agreement on the successor to the invalidated Safe Harbor pact, calling it Privacy Shield. In contrast to the previous agreement, Europeans now have a right to redress in U.S. courts if they believe their privacy rights were violated and an ombudsperson to resolve any complaints on behalf of Europeans concerned about the U.S. intelligence community capturing data transferred under the deal.

Although data protection authorities in Europe expressed skepticism of the deal, they said they would give it at least a year before reviewing its adequacy and possibly challenging it in EU court. Their actions were preempted by Digital Rights Ireland, a privacy group, which challenged the European Commission’s assertion that the shield was adequate to protect EU citizens’ privacy rights. The Privacy Shield challenge, along with the possible invalidation of model clauses--another legal mechanism used to transfer data across the pond--increase the likelihood of more turbulence for U.S.-EU data transfers next year.

2016 also saw the passage of a number of controversial interception and data retention laws. In the United Kingdom, the Investigative Powers Bill--known to detractors as the Snooper’s Charter--received royal assent. Among other things, the bill requires communications service providers (CSPs) to maintain "internet connection records" of their users, reiterated existing requirements that CSPs maintain a capability to decrypt communications, and created a new oversight body to monitor law enforcement and the intelligence community’s use of the new powers.

In China, the cybersecurity law that went through several drafts since 2015 finally entered into force in November. In addition to U.S. business concerns that it will subject their wares to regular security audits and pose a threat to their intellectual property, the Chinese bill requires CSPs to mandate users register with their real world identities (no anonymity allowed) and a requirement for undefined "critical information infrastructure operators" to store user data in the country--a practice known as data localization. Like the UK measure, the Chinese law requires that tech companies provide "technical support" with law enforcement investigations, presumably meaning providing a decryption capability.

Finally, the election of Donald Trump as president of the United States gave a shot in the arm to privacy activists. His election sparked discussions about the state of online privacy for the next four years and concerns that even modest reforms the NSA surveillance programs will be rolled back. A month after his election, Signal, the Edward Snowden-endorsed messaging app, experienced a 400 percent jump in daily app downloads.

2016 was pretty hectic for the privacy world, but probably no more than previous years. What does 2017 have in store? Court challenges and opinions. Expect lots of them. Privacy activists and companies are likely to test the legality of the UK’s Investigative Powers Act, the viability of model clauses and the Privacy Shield, and trigger another encryption fight if U.S. law enforcement can’t unlock a device during the investigation of a high profile or particularly heinous crime.

More on: