Issuu on Google+

Committee:​ World Intellectual Property Organization (WIPO). Chair members: President:​ Andrea Navarro Millán Moderator:​ Alexa Limón Samperio Topic:​ Legality of the obligatory De-encryption of personal communication devices. I.

INTRODUCTION The

World

Intellectual

Property

Organization, also known worldwide as ‘’WIPO’’ for its acronym, ​is the global forum for intellectual property services, policy,

information

and

cooperation;

self-funding agency of the United Nations, with 189 member states. Founded in 1967 with its governing bodies and procedures set out in the WIPO Convention, this organization’s ​main purpose is to achieve the development of a balanced and effective international intellectual property (IP) system that leads to innovation and creativity for the community’s benefit. This organization’s main functions are: ● Promote the development of measures designed to facilitate the efficient protection of intellectual property throughout the world and to harmonize national legislation in this field. ● Perform the administrative tasks of the Paris Union, the Special Unions related to that Union, and the Berne Union. ● It may agree to assume, or participate in, the administration of any other international agreement designed to promote the protection of IP. ● Encourage the conclusion of international agreements designed to promote the


protection of intellectual property. ● Offer its cooperation to states requesting legal-technical assistance in the field of intellectual property. ● Assemble information concerning the protection of intellectual property, develop and promote studies in this field, and publish the results. ● Maintain services facilitating the international protection of IP and provide for registration in the field. ● Take all other appropriate action relevant to the protection of intellectual property. This year, during the third edition of the Junior American School Model United Nations (JASMUN), the chair of the World Intellectual Property Organization committee, hosting the topic of ​Legality of the obligatory De-encryption of personal comm. devices will be ran by Alexa Limón Samperio, as Moderator, and Andrea Navarro Millán, as Director. II.

TOPIC OVERVIEW

‘’​Encryption’​’ is a term that refers to the mathematical function using a secret value, or ‘’key’’, which encodes data so that only users with access to that key can read the information, or simply, the insurance that data is only being accessed by authorized users. In many cases, encryption can provide a safeguard against the unauthorized or unlawful processing of personal data, especially in cases where it is not possible to implement

measures.

Companies

and

businesses tend to appeal to this method, which gives them the security that in case of a loss or theft of the workers’ devices, like computers, there still would be a chance of an encrypted-information recovery by the data controller. On the other hand, ‘’decryption’’ means the process of transforming data that had been protected before and made unreadable, into its unencrypted form, converting it into texts and images understandable to both the reader and the system.


End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages, preventing telecom providers and Internet providers from being able to witness those conversations; it is a system designed to defeat any attempts of surveillance, since no third-parties can decipher the data being communicated or stored. To understand the importance of ‘’intellectual property’’ in this context and why WIPO’s purpose is to encourage it, it’s fundamental to know it is defined as ‘’the creations of the mind, such as inventions, literary and artistic work, designs, symbols, names and images used in commerce’’. Its importance is such, that it is protected by law, and that’s where

​patents​,

trademarks

​copyrights

derive

from,

and which

enables people to earn recognition or financial benefit from what they invent or create. ● A ​copyright is a legal term used to describe the rights that creators have over their literary and artistic works. ● A ​patent is an exclusive right granted for an invention. It provides the patent owner with the right to decide how, or whether, the invention can be used by others. In exchange for this right, the patent owner makes technical information about the invention publicly available in the published patent document. ● Trademarks are signs capable of distinguishing the goods or services of one enterprise from those of other enterprises. Also recognized as ‘’signatures’’ or ‘’marks’’ on the products. To contribute to a positive outcome from this, WIPO works closely with governments, intergovernmental and non-governmental organizations, and with multiple public and private sector stakeholders worldwide to help them realize the benefits of the international IP system for society. These cooperation activities are several, among which are:


● Assisting individual countries and regions to use IP for economic development. ● Coordinating with IP offices to develop technical infrastructure to share work, data and knowledge. ● Cooperating with member states to build respect for IP. ● Building multi-stakeholder partnership platforms to address global challenges. As a United Nations agency, WIPO is committed to working with developed, developing and least developed countries to enable them to gain benefits from the IP system and to promote their participation in the global innovation economy. III.

GENERAL BACKGROUND

Currently, the majority of consumers fear that there is no such thing as ​privacy online​, and somehow, they might have a point, considering this situation sometimes gets beyond the government’s vigilance and instead, it becomes an act from hackers of unknown origins, who put in risk people’s identity by stealing their information. Concerns by the victims have contributed to the creations of new politics within powerful companies who implement even greater encryption in their products. Apple Inc., the multinational technology company, designer and producer of consumer electronics, computer software, and online services, informed its latest mobile devices feature the newest encryption method, in which devices use codes that are generated with each message. Carrie Cordero, ​a former counsel in the Justice Department’s National Security Division and director of National Security Studies at Georgetown Law, Washington D.C​., argues to stand up for the government’s right. ​Cordero states ‘’we can´t fight terrorism and violent crime in the dark’’​, but that that’s a consequence the community will eventually face if law-enforcement and intelligence officials are denied the access they require to take

action.

As

a

matter

of

fact,


communication companies hold information that may be useful to pursue criminal investigations and forestall potential threats. Up until 2015, agents of the government could generally file requests for court orders that, if approved, could make the companies provide the requested information. Congress in 1994 passed the ​‘’Communication Assistance for Law Enforcement Act’’​, o ​‘’Calea’’​, to facilitate private-sector cooperation with law enforcement. This act required telecommunications companies to configure their systems in a way that would enable them to effectively respond to court orders. In addition, some congressional proposals such as the ​‘’Secure Data Act’’​, have threaten to prohibit the government from requiring that companies design or modify communication systems or products to facilitate government requests for data. Ever since the concerns about government surveillance and consumer privacy started to increase, the technology industry has significantly advanced on the development of an encryption

technology.

Apple

Chief

Executive, Tim Cook, even declared this new encryption the company has adopted is undecipherable even by Apple itself. If companies can’t decode messages or retain a

means to unlock devices of their

customers,

court

orders

required

to

companies to hand over messages, passwords or keys will be meaningless, and, as a result, violent crime may stay unsolved, terrorists attacks may not be defeated, and even victims may never see justice. (Cordero, 2015). Society must be aware of the risks of this issue: ● The potential risk of having some degree of vulnerability in the design of modern communications. ● The danger of failing to provide citizens with the basic levels of protection and security. ● Requests for access by foreign governments, which will lead to pressure to


companies who will need to evaluate market opportunities in the context of trying to work with governments that have poor human-rights records. These governments might as well have the need to access encrypted information for investigation purposes. On the other hand, Marc Zwillinger is an attorney and founder and managing member of the Washington, D.C. law firm ZwillGen PLLC, and his point of view differs from the previous, by stating the following: ● Although the U.S. government certainly has an interest in protecting its citizens from crime, terrorist attacks and foreign threats, that doesn´t justify the violation of the right to privacy. ● Some of these methods of intelligence go against the nation’s values and do not demonstrate real long-term benefits or positive effects. ● Secure communication is essential to modern society. Its vulnerability could expose and endanger physical, financial, and emotional details of people’s lives, and even companies’ valuable information. Governments claim they will only use the ​golden key (a key that allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets) when proper judicial process has been followed, but giving this power to the government would result in devastating effects: ● Multinational companies would not be able to refuse foreign governments that demand access, and Governments could threaten with financial sanctions, imprisonment of employees and prohibition against a company’s services in their countries. The relationship between China and U.S. is an example of this, where the United

States’ companies

must

comply with government demands in order to do business, which has to


do with the fact that international companies would do anything to create fully secure, end-to-end encryption products, harming both U.S. industry and its national security​. ● Exploitation of the U.S. government’s key by hackers would be an ​actual risk. Indeed, hackers accessed law-enforcement surveillance information during the state-sponsored hack of Google in 2010. There are several alternatives that wouldn´t compromise the security of an entire communication network. ‘’Law enforcement can, in certain circumstances, compel passcodes from device owners. These are better alternatives than converting devices and apps into components of the surveillance apparatus’’. There is no guarantee that impairing secure communication methods will solve a terrorist problem. This threatens to undermine basic human rights, and weakening security for the majority of users in order to gain access to the potentially illegal communications of the few, is not the right trade-off. (Zwillinger, 2015). IV.

CURRENT SITUATION

There’s been several situations in which the de-encryption of personal devices has been a threat to people’s security, or even a nation’s, but one of the most influential, and which after all, represents a danger to communities from all around the world, was the November, 2015, major terrorist attack which affected the security and the life of thousands of citizens principally from Paris, but the U.S. directly, as well. Thanks to

the skills of an

unknown party who provided a method to the FBI to crack the security function of the iPhone without erasing its content, which was used by Syed Farook and Tashfeen Malik, who carried out the December, 2015, massive San Bernardino shooting, the Department of Justice was able to access data on the


device. The United States’ Government declared that due to outside assistance, it no longer required the help from Apple Inc. On the early 2016, the FBI started reviewing the contents of the phone as ‘’consistent with standard investigatory procedures’’. Later, the Government denied the accusations that pointed it was using the case to gain further access to consumers’ devices, by stating it ‘’was about fully investigating a terrorist attack’’, FBI Director James Comey, said. The Federal Bureau of Investigation has dozens of similar cases pending in which it wants access to smartphone information to assist with a case. Mozilla, the company behind the Firefox browser, testified ‘’other cases pending where law enforcement relies on the ‘All Writs Act’ to access tech gadget data (…) can compel companies to help the government in pursuit of its duties. This question is clearly not going away just because the government has withdrawn their request in this particular case’’. Companies like Apple, whose brand identity is faithful to data security, could face a sale decline if smartphones and tablets are proven to be hackable. All of this contrasts the need for public security in an age when terrorists use encrypted smartphone communication to secretly plan devastating attacks such as the suicide missions in Brussels and Paris. Justice officials declined to comment if the technique would be applied to other encrypted devices, or if it would even be shared with Apple. Later, Apple was declined to be shared the encryption technique, which would ‘’leave ordinary users at risk from malicious third-parties who also may use the vulnerability’’, said Andrew Crocker, staff attorney for the Electronic Frontier Education. The FBI insisted only Apple could crack the contents of Farook’s iPhone, to which the company replied it could eventually undermine the privacy of consumers, a position completely supported by other tech giants, such as Google, Facebook and Microsoft. California U.S. Attorney Eileen Decker said federal authorities has pursued the


litigation to ‘’fulfill a solemn commitment to the victims of the San Bernardino shooting, that we will not rest until we have fully pursued every investigative lead related to the vicious attack’’. Afterwards, a fight started over whether the FBI could force Apple to undermine the security of its own products, and, Alex Abdo, staff attorney for the American Civil Liberties Union, pronounced ‘’we would all be more secure if the government ended this reckless effort’’. V.

BLOC POSITIONS

Encryption is also governed by laws and regulations, which may differ by country. ● United States: ​Although for consumers of communication companies, the creation of codes with each sent message as a new encryption advance may be a relief, it represents a greater concern to U.S. law-enforcement and security forces, who state that the producers of highly-encrypted communication

devices

should

make

available to them, within the framework of the law, a way to decipher those messages. Their main argument is that they need access to private emails, social media messages

and

other

electronic

communication to fight terrorist acts and keep the country’s citizens safe. On the other hand, the side of the defenders of civil liberties express their fear that if governments keep extending its ability to monitor private communication, there will not be any ‘’right to privacy’’ at any point soon. States such as Massachusetts have formulated laws which require the encryption of electronically communicated personal data. In addition, the Federal Trade Commission has declared the ‘’FTC Act’’ as a requirer of data encryption, with a case against a hotel chain whose unencrypted financial data was stolen by hackers. ● United Kingdom: According to ‘’The Data Protection Act 1998’’, also known as


‘’DPA’’, it requires data controllers to take, as established in the document, ‘’appropriate technical and organizational measures’’, in order to maintain a safe and secure personal data. This statement indicates ‘’the measures must ensure a level of security appropriate to, the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or damage (…), and the nature of the data to be protected’’. For a place recognized as ‘’the state of technological development’’, it is congruent to implement an encryption obligation. Recent regulatory action has focused on unencrypted laptops, optical drives and memory sticks, but still, studies and cases reveal ​the main application of the law is attributed to emails and other electronic communication. ​In conclusion, the DPA has created a

legal

environment

for

encryption of personal data in the United Kingdom. ● France: ​The ‘’French DPA’’, establishes the need of data controllers to take ‘’all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties’’. ​The existence of various threats to Information Technology (IT) systems and networks including computer fraud, fraudulent data collection, data loss and spread of confidential information are highlighted, inducing to the necessity to create new security standards to intensify the security of personal data. The ​Commission Nationale de L’Informatique et des Libertés, ‘’CNIL’’, encourages and promotes the importance of using encrypted links like ​‘’https’’ ​for electronic exchanges of data, and the storage of information in the Cloud. ● Germany: ​The Federal Data Protection Act, for its meaning in English, also known


as ‘’BDSG’’, places an obligation to process personal data to take ‘’appropriate technical and organization measures’’ to preserve data security, with the help of the use of encryption technologies. This act’s goal is to prevent unauthorized access or disclosure, ensure this access is capable of being proven, and protect personal data against accidental loss or destruction. Furthermore, organizations must be able to segregate, or separate, the collected data for different purposes. ● Spain: ​Its legislation mandates the encryption of only certain personal data. The ​Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal, ‘’LOPD’’, establishes that data controllers must adopt measures to guarantee data security, and they will be taken depending on the level of security required. ‘’High level’’ security measures must be applied to ​sensitive data​, such as those related to ideology, religion and health, particularly when they have been stored in databases or ‘’automated filing systems’’, which are transmitted through telecommunications networks. These measures generally apply to sensitive data being transmitted through public networks, and include the deployment of encoding or encryption techniques. Where personal data is transferred through a public or wireless network, this process must be done by ‘’encoding such data or using any other mechanism that guarantees the information shall not be manipulated by third parties’’. ● Japan: ​The Japanese Act on the Protection of Personal Information, ‘’APPI’’, applies to organizations who use databases that contain personal information from at least 5000 or more individuals. These measure’s obligation is to lead to a prevention of data loss, damage or unauthorized disclosure. ● South Korea: The Personal Information Protection Act ‘’PIPA’’, which came into implementation in 2011, is one of the strictest data protection regimes, including


obligations such as the mandatory data

breach notification to data

subjects and other authorities like the Korean

Communications

Commission ‘’KCC’’. PIPA’s duty is to take the ‘’technical, administrative and physical measures necessary for security safety (…) in order to prevent personal information from loss, theft leakage, alteration or damage’’. Organizations are mandatorily required to establish an official statement of the previous security measures, and an internal privacy officer must be appointed to oversee data processing activities, who will also be subject to any necessary criminal investigations for a breach.

VI.

FOCUS QUESTIONS 1. Should smartphone companies agree to legalize the de-encryption of smartphones even though it violates their privacy policies? 2. What would be the consequences of legalizing de-encryption? 3. Why do governmental authorities propose that de-encryption should be allowed in certain cases? What are examples of cases that merit de-encryption? 4. How

would

legalizing

the

de-encryption of phones affect society in their countries? 5. Would

legalizing

the

de-encryption of phones really help to solve issues or would people find other ways to use phones irresponsibly? 6. How would the economy of all these companies be affected if the


de-encryption of phones was legalized? 7. What would be the legal consequences of these companies for violating the privacy policy of their clients? 8. Can private data be provided to a national company?

VII.

IMPORTANT RESEARCH LINKS

http://www.wipo.int/portal/en/index.html http://www.wipo.int/treaties/en/text.jsp?file_id=283854 http://www.infosecurityeurope.com/__novadocuments/21997 http://www.wsj.com/articles/should-law-enforcement-have-the-ability-to-access-encryp ted-communications-1429499474 https://www.symantec.com/products/information-protection/encryption http://www.fipr.org/rip/Mark%20Castell%20NCIS%20-%20Devastating%20effects%2 0of%20irretrievable%20encryption.htm https://informationsecurity.princeton.edu/encryption/encryption-and-internatio https://www.whatsapp.com/faq/en/general/28030015

References: What is Intellectual Property? (n.d.). In ​WIPO. ​World Intellectual Property Organization. Retrieved from ​http://www.wipo.int/about-ip/en/ Inside WIPO. (n.d.). In ​WIPO. World Intellectual Property Organization. Retrieved from http://www.wipo.int/about-wipo/en/ Functions. (n.d.). In ​WIPO. ​World Intellectual Property Organization. Retrieved from http://www.wipo.int/treaties/en/text.jsp?file_id=283854 Cooperation. (n.d.). In ​WIPO. ​World Intellectual Property Organization. Retrieved from


http://www.wipo.int/cooperation/en/index.html#countries FBI hacks into terrorist’s iPhone without Apple. (2016). In ​USA Today. Retrieved from http://www.usatoday.com/story/news/politics/2017/01/12/sanders-slams-democrat s-who-voted-pharmaceutical-industry/96506340/ Encryption and the ‘’Golden Key’’. (2016). In ​Lawfare. Retrieved from https://www.lawfareblog.com/encryption-and-golden-key The legal obligations for encryption of personal data in Europe and Asia. (2013). In ​Info Security Europe. Retrieved from http://www.infosecurityeurope.com/__novadocuments/21997


Wipobackgroundjasmun2017 docx