A Texas-Size Victory for Encryption

Df blog spotlight 1

Texas has proven once again that it is a leading state when it comes to privacy rights and the right to protection of property. Yesterday, Governor Greg Abbott signed House Bill 9 (Capriglione), now known as the Texas Cybercrime Act, into law. The act states that a person commits an offense if they intentionally interrupt or suspend access to a computer system or computer network without the effective consent of the owner. It also makes the decryption of private information a criminal offense. It is the first bill passed in the U.S. to protect an individual’s right to privacy using encryption.

Changing Perceptions

The federal government has long recognized the need to protect the data of government and financial institutions. Cybercrime laws, such as the Computer Fraud and Abuse Act (CFAA), were originally written to protect computers used by the government and financial institutions. However, they haven’t found protecting individual data and privacy to be a necessity. In fact, law enforcement has viewed the effort of individuals to protect privacy online as suspicious.

In an article published on VentureBeat, Glenn Greenwald, editor of the Intercept, mentions, “They [the NSA] view the use of encryption… as evidence that you’re suspicious and can actually target you if you use it.” This is evident in the minimization procedures followed by the NSA regarding the acquisition, retention and dissemination of information from online communications, pursuant to Section 702. In Section 5 of these minimization procedures, entitled “Domestic Communications,” it is stated that domestic communication will be promptly destroyed unless it is believed to contain “technical data base information.” Technical database information is defined in Section 2 as “information retained for cryptanalytic, traffic analytic or signal exploitation purposes.”

The document also states, “In the context of cryptanalytic effort, maintenance of technical databases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning. Under Section 702, this information is acquired and retained without a warrant. The NSA’s minimization procedures from 2015 can be viewed here.

The Public Has a Right to Privacy Online

Digital communication has become a predominant form of communication in our personal and professional lives. These days, people have a tendency to communicate digitally when they are sitting within only a few feet of each other. Private communication between clients and attorneys, homebuyers and loan officers, and doctors and patients also occurs online.

These are private conversations and should be treated as such. As stated by the Electronic Frontier Foundation (EFF), “We have the right to engage in private conversations online, just as we have the right to private conversations in person, and those rights must be protected.” Just as the government cannot wiretap homes without a warrant, nor should they be able to collect or store online communications when there is no probable cause.

Furthermore, individuals have the right to use encryption to protect themselves and their property from cybercrime. The use of ransomware and other cybercrimes continue to proliferate, and cybercriminals target organizations and individuals alike. According to RSA’s 2016 Current State of Cybercrime, online credit card fraud is predicted to continue to dramatically increase as the opportunity for in-person fraud diminishes. Card-not-present (CNP) fraud in the U.S. is projected to reach over $7 billion by 2020.

Texas Outlaws Decryption without Consent

Protecting encryption has been a major issue for the tech community since well before the community showed its support for Apple vs the FBI through AMICUS briefs, and Texas has led the way by making it a crime to forcibly decrypt private information.

According to the Texas Cybercrime Act, decryption means, “the decoding of encrypted communications or information, whether by use of a decryption key, by breaking an encryption formula or algorithm, or by the interference with a person’s use of an encryption service in a manner that causes information or communications to be stored or transmitted without encryption.” By this definition, the law not only makes the decryption of data a crime, but also the disablement of an encryption service

While this law does not protect citizens from having their data collected and retained by federal agencies, it does protect them from cybercrime, and it sends a message to governments and law enforcement agencies around the country that the employment of encryption should be principally viewed as a means to protect what is valuable, not to hide criminal activity. The Texas Legislature and Governor have acted once again to protect people’s property by recognizing that encryption is an important tool normal citizens can use to protect their digital property. Texas knows that Encryption is the “Second Amendment of the Internet.”