On November 8, 2023, Paul Hastings kicked off the Cybersecurity Law Workshop with a Panel on Encryption at this Fall’s Privacy+Security Forum. The panel was moderated by Paul Hastings Senior Privacy Director and Chief Privacy Officer Brianne Powers, and featured Ruth Babette Ngene (Public Director, Electronic Frontier Foundation Organization (“EFF”)), Jon Camfield (Product Policy, Meta), and Greg Nojeim (Senior Counsel and Director of Security and Surveillance Project, Center for Democracy and Technology).

The Panel on Encryption covered topics including encryption in the U.S., global challenges to encryption, and encryption in action. On encryption in the U.S., panelists highlighted current legislation related to encryption, issues with that legislation, and proposed solutions to those issues.

Here are some of the main takeaways from the panel–

Encryption in the U.S.

• Many countries have enshrined privacy as a fundamental human right.
• Three proposed bills have potential impacts on encryption including:
  • Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT Act”) –would allow state legislatures to encourage civil lawsuits and prosecutions against those who do not follow the government’s best practices, including scanning everyone’s privacy conversations for illegal material.
  • Stop Child Sexual Abuse Material (“CSAM”) Act –creates criminal and civil liability for platforms that allow sharing of illegal material, and the fact that they offer encryption can be used as evidence of recklessness, discouraging use of end-to-end (“E2EE”) encryption.
  • Cooper Davis Act –creates the possibility for encryption to be used as evidence of providers’ blindness to information they obtain about certain illegal drug sales, which discourages providers from allowing users to have private conversations on legal subjects related to drugs.

Global Challenges to Encryption

• Encryption faces headwinds throughout the world which can be challenging for multinational companies.
• Legislation, such as the CSAM Act described above, may be difficult to stop because of its call to address important societal issues, such as child exploitation online.
• To combat these challenges to encryption, the Center for Democracy and Technology created the Global Encryption Coalition which:
  • Addresses governments’ coordination with each other that attacks encryption; and
  • Promotes pro-encryption policies at the governmental level and encryption adoption at the corporate level.

Encryption in Action

• The COVID-19 pandemic taught us that we are reliant on technologies to communicate and that there is an expectation of privacy when using those technologies for conversing. E2EE provides the desired security for those conversations.
• Device encryption, transit encryption, and E2EE are under attack and there needs to be a unified approach to these encryptions while also considering that they are different encryption processes.

What Companies Should Do Now:

Based on the issues discussed above, organizations should consider taking the following steps:

• Determine types of encryption used at the organization internally and for any consumer-facing products, including for devices and information in transit or at rest.
• Remain aware of the bills described above and their particular implications on the organization.
• Ensure policies and procedures related to encryption are adaptable should these bills be passed.

The Privacy + Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. This Fall’s Forum took place from November 8-10th in Washington, D.C.

If you have any questions about the issues discussed in this blog post, please do not hesitate to contact any member of our team.