What kind information can the US legally demand that a company hand over? And under what circumstances? And which laws give the government and law enforcement those rights? Eh, it’s not currently very clear, as was recently proven by the Apple/FBI battle over unlocking one of the San Bernardino shooters’ iPhones and the death of secure email service Lavabit after its founder refused to produce its Secure Sockets Layer (SSL) private keys for an FBI probe.

That confusion is troubling but can also be a good thing for companies who receive requests that they do not want to comply with, for whatever reason.

“If you’re ever asked to do something like this, you have a lot of strong legal arguments to say no,” said Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society in a Black Hat talk on Thursday. Granick and her Stanford colleague Riana Pfefferkorn, a Cryptography Fellow, ran down relevant laws and what’s currently known about their parameters and limits. They suggested that companies should plan ahead and assume that law enforcement agencies will eventually send them some kind of technical request—if they haven’t already.

And preparation starts with how products are designed.

“No one is obligated to build in decryption capabilities,” Granick noted, meaning that it is much harder for law enforcement to compel a company to decrypt data that it doesn’t have any type of privileged access to. “You need to be thinking through these design decisions,” Pfefferkorn added. “You can’t be compelled to hand over data that you don’t collect.” Very true. Finally toward the end of the talk, Granick said, “End-to-end encryption is legal. Period.” The crowd broke into spontaneous applause.

Read More