Computers, Privacy & the Constitution

Prosecutorial Discretion and the Crypto Wars

-- By MarcelRibas - 14 Apr 2018

I. Introduction

The U.S. Department of Justice opened another front in the “Crypto Wars” in November 2017 by introducing a new prosecutorial policy intended to steer companies away from “software that generate but do not appropriately retain business records or communications.”

On the surface, the policy language deals with the retention of corporate records for anti-corruption compliance programs. But attentive readers readily identified the Department’s concern with self-destructing software and encryption, following the sharp increase in use of technology that prevents law enforcement access to devices and communications (the “going dark” problem).

This essay questions whether the use of prosecutorial compliance program policy is a legitimate means to advance the government’s “responsible encryption” pitch and highlights some unwarned disadvantages of corporate adherence to the government’s proposal.

II. Discussion

A. The legitimacy of using prosecutorial discretion to advance policy

This essay was elicited by a new Department of Justice policy in connection with the Foreign Corrupt Practices Act (“FCPA”), a statute enacted in 1977 with the purpose to crack down on bribery of foreign government officials and political parties. In essence, this new policy promises leniency to companies that self-disclose actual or potential violations of the FCPA, as long as certain requirements are met.

Among such requirements, the United States Attorneys’ Manual at 9-47.120(3)(c) now asks companies to timely and appropriately remediate FCPA matters by adopting “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications”.

United States Attorneys answer to the Executive Branch of federal government. The executive is led by the President, who pursuant to Article II of the Constitution must “take care that the laws be faithfully executed”. One of the many sides of this constitutional duty and power of the President is his or her absolute control over what cases government attorneys bring and what charges they file.

In this respect, the executive power attorneys’ authority to prosecute, and more importantly, to not prosecute, was labeled by legal circles as prosecutorial discretion. The President has the final word over what matters to pursue and what matters not to pursue in the federal level, and traditionally no court can interfere with this decision. Recently, the D.C. Circuit held that courts cannot "second-guess" the Executive even in the case of deferred prosecution agreements, which require the filing of an information in court.

For many policy and practical reasons, the government often makes use of the power not to prosecute in order to achieve some larger goals. The particular goal, however, varies in accordance with the social, political, legal and factual context in consideration. Tt is largely a consensus among legal professionals that the U.S. criminal justice system would simply collapse without plea bargains and pre-trial settlements. In fact, researchers report that 97% of all federal criminal convictions in 2017 resulted from guilty pleas instead of trials.

One prosecutor might dismiss a criminal complaint against a person with a terminal disease for humanitarian reasons. Another prosecutor may choose to charge a lesser offence against a young, misdirected first-time offender. Yet another prosecutor can offer a plea deal to one person in order to obtain statements and documents against a larger criminal organization. In every one of these cases, the underlying policy and practical considerations vary, but the ultimate source of constitutional governmental power is the same.

Therefore, in light of the doctrines of separation of powers, prosecutorial discretion and precedent on the impossibility of Judiciary review, the conclusion is that the constitution and the laws currently afford the federal government with a legitimate power to advance its policy agenda by means of using prosecutorial discretion.

B. The disadvantages to forgo self-destructing software and encryption

The FCPA Corporate Enforcement Policy is probably a pilot of further changes in the way the Department assesses the effectiveness of compliance programs in other areas. As the government advances its policy, more companies are likely to endeavor to approximate their corporate policies and procedures to the standards advocated by the Department.

By force of law or regulation, companies must keep certain business records for a finite period of time. This is beyond question. But the issues of whether companies should archive metadata and content of all communications coming from or to their employees, or whether companies should adopt cryptography that enable exceptional access instead of strong encryption are far more difficult.

Specialists in the area of encryption report that there is no existing system that permit exceptional access to encrypted data without unacceptable risks. According to their research, intruders have the capability to hijack the exceptional access mechanisms. They also found that there are important practical obstacles and vulnerabilities in the process of guaranteeing exceptional access to the various law enforcement agencies in the world.

Weak cryptography or exceptional access for encrypted devices also mean that corporate networks would be further vulnerable to theft, electronic espionage, hacking and surveillance by foreign or national powers and private agents. For most big businesses and smaller businesses with sensitive data, these risks seem to be unacceptable to take.

Furthermore, given the ever-growing text-based communication culture of the twenty-first century, requiring the maintenance of a system that considers any communication within the corporation as a business record is on its face excessive and capable of chilling employee use of corporate communication channels. Not all communications are, or should be considered, business records. Corporations are expected to assume the costs and responsibility for keeping monumental volumes of internal data with virtually no business use in exchange for a far-fetched promise of leniency that depends on an array of factors, some entirely outside of their control, while bearing the legal and reputational accountability for data treatment and security breaches.

III. Conclusion

The Department of Justice is legitimately using prosecutorial discretion as a tool to advance its “responsible encryption” agenda and push back against self-destructing software and encryption, trying to guarantee that corporate records and communications are readily accessible for law enforcement purposes.

However, the unwarned consequences of this particular policy are corporate networks further vulnerable to theft, electronic espionage, hacking and surveillance.

Furthermore, the policy also suggests that corporations bear the costs and the responsibility for keeping indiscriminate vast archives of data, most with virtually no business use, that actually should not be considered business records in the first place.

Navigation

Webs Webs

r1 - 15 Apr 2018 - 00:14:49 - MarcelRibas
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM