Computers, Privacy & the Constitution

View   r2  >  r1  ...
MarcelRibasFirstPaper 2 - 11 May 2018 - Main.EbenMoglen
Line: 1 to 1
META TOPICPARENT name="FirstPaper"
Line: 60 to 60
 Furthermore, the policy also suggests that corporations bear the costs and the responsibility for keeping indiscriminate vast archives of data, most with virtually no business use, that actually should not be considered business records in the first place.

I don't understand the premise of this draft. Whether companies use cryptographic means of communication within their business to which government agencies don't have cleartext access before the issuance of a subpoena is not at all related to whether companies use forms of internal communication designed to leave no records that can be the subject of subpoena. To tell companies that FCPA compliance requires record-keeping, and that use of record-destroying software is incompatible with compliance requirements and can get you in trouble is not part of any "responsible cryptography" policy.

So I don't understand the "prosecutorial discretion in aid of policy" angle, because I don't understand the factual predicate. But the angle wouldn't make much sense to me even if I understood the predicate, because I don't think anyone ever doubted that prosecutorial discretion is a policy tool, whether used by actual prosecutors or by agencies like FTC and EPA that are structured as quasi-prosecutorial entities with power to initiate coercive litigation as their primary tool. Nor do you doubt what you make the subject of the essay, so it's a "march up the hill to march down again" sort of story.

The route to improvement, I think, would be a clarification of the issue at stake. What is surprising in any way about the FCPA notice? If it said, you can get in trouble for routine mass shredding of documents, would the issue not be the same?


MarcelRibasFirstPaper 1 - 15 Apr 2018 - Main.MarcelRibas
Line: 1 to 1
META TOPICPARENT name="FirstPaper"

Prosecutorial Discretion and the Crypto Wars

-- By MarcelRibas - 14 Apr 2018

I. Introduction

The U.S. Department of Justice opened another front in the “Crypto Wars” in November 2017 by introducing a new prosecutorial policy intended to steer companies away from “software that generate but do not appropriately retain business records or communications.”

On the surface, the policy language deals with the retention of corporate records for anti-corruption compliance programs. But attentive readers readily identified the Department’s concern with self-destructing software and encryption, following the sharp increase in use of technology that prevents law enforcement access to devices and communications (the “going dark” problem).

This essay questions whether the use of prosecutorial compliance program policy is a legitimate means to advance the government’s “responsible encryption” pitch and highlights some unwarned disadvantages of corporate adherence to the government’s proposal.

II. Discussion

A. The legitimacy of using prosecutorial discretion to advance policy

This essay was elicited by a new Department of Justice policy in connection with the Foreign Corrupt Practices Act (“FCPA”), a statute enacted in 1977 with the purpose to crack down on bribery of foreign government officials and political parties. In essence, this new policy promises leniency to companies that self-disclose actual or potential violations of the FCPA, as long as certain requirements are met.

Among such requirements, the United States Attorneys’ Manual at 9-47.120(3)(c) now asks companies to timely and appropriately remediate FCPA matters by adopting “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications”.

United States Attorneys answer to the Executive Branch of federal government. The executive is led by the President, who pursuant to Article II of the Constitution must “take care that the laws be faithfully executed”. One of the many sides of this constitutional duty and power of the President is his or her absolute control over what cases government attorneys bring and what charges they file.

In this respect, the executive power attorneys’ authority to prosecute, and more importantly, to not prosecute, was labeled by legal circles as prosecutorial discretion. The President has the final word over what matters to pursue and what matters not to pursue in the federal level, and traditionally no court can interfere with this decision. Recently, the D.C. Circuit held that courts cannot "second-guess" the Executive even in the case of deferred prosecution agreements, which require the filing of an information in court.

For many policy and practical reasons, the government often makes use of the power not to prosecute in order to achieve some larger goals. The particular goal, however, varies in accordance with the social, political, legal and factual context in consideration. Tt is largely a consensus among legal professionals that the U.S. criminal justice system would simply collapse without plea bargains and pre-trial settlements. In fact, researchers report that 97% of all federal criminal convictions in 2017 resulted from guilty pleas instead of trials.

One prosecutor might dismiss a criminal complaint against a person with a terminal disease for humanitarian reasons. Another prosecutor may choose to charge a lesser offence against a young, misdirected first-time offender. Yet another prosecutor can offer a plea deal to one person in order to obtain statements and documents against a larger criminal organization. In every one of these cases, the underlying policy and practical considerations vary, but the ultimate source of constitutional governmental power is the same.

Therefore, in light of the doctrines of separation of powers, prosecutorial discretion and precedent on the impossibility of Judiciary review, the conclusion is that the constitution and the laws currently afford the federal government with a legitimate power to advance its policy agenda by means of using prosecutorial discretion.

B. The disadvantages to forgo self-destructing software and encryption

The FCPA Corporate Enforcement Policy is probably a pilot of further changes in the way the Department assesses the effectiveness of compliance programs in other areas. As the government advances its policy, more companies are likely to endeavor to approximate their corporate policies and procedures to the standards advocated by the Department.

By force of law or regulation, companies must keep certain business records for a finite period of time. This is beyond question. But the issues of whether companies should archive metadata and content of all communications coming from or to their employees, or whether companies should adopt cryptography that enable exceptional access instead of strong encryption are far more difficult.

Specialists in the area of encryption report that there is no existing system that permit exceptional access to encrypted data without unacceptable risks. According to their research, intruders have the capability to hijack the exceptional access mechanisms. They also found that there are important practical obstacles and vulnerabilities in the process of guaranteeing exceptional access to the various law enforcement agencies in the world.

Weak cryptography or exceptional access for encrypted devices also mean that corporate networks would be further vulnerable to theft, electronic espionage, hacking and surveillance by foreign or national powers and private agents. For most big businesses and smaller businesses with sensitive data, these risks seem to be unacceptable to take.

Furthermore, given the ever-growing text-based communication culture of the twenty-first century, requiring the maintenance of a system that considers any communication within the corporation as a business record is on its face excessive and capable of chilling employee use of corporate communication channels. Not all communications are, or should be considered, business records. Corporations are expected to assume the costs and responsibility for keeping monumental volumes of internal data with virtually no business use in exchange for a far-fetched promise of leniency that depends on an array of factors, some entirely outside of their control, while bearing the legal and reputational accountability for data treatment and security breaches.

III. Conclusion

The Department of Justice is legitimately using prosecutorial discretion as a tool to advance its “responsible encryption” agenda and push back against self-destructing software and encryption, trying to guarantee that corporate records and communications are readily accessible for law enforcement purposes.

However, the unwarned consequences of this particular policy are corporate networks further vulnerable to theft, electronic espionage, hacking and surveillance.

Furthermore, the policy also suggests that corporations bear the costs and the responsibility for keeping indiscriminate vast archives of data, most with virtually no business use, that actually should not be considered business records in the first place.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Revision 2r2 - 11 May 2018 - 16:26:28 - EbenMoglen
Revision 1r1 - 15 Apr 2018 - 00:14:49 - MarcelRibas
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM