This week, the social networking service Facebook quietly announced that it will begin making PGP encryption available for communications from Facebook to its users. While this step, in itself, is a small one not likely to directly impact many individuals, if it signals a resurgence in development of public key cryptography for use by the general public, it will have dramatic consequences for the privacy and security community and for the lawyers who support it.
PGP is the encryption protocol developed in the 1990s by Phil Zimmermann as the first tool widely available for general public use that applies the same highly secure encryption techniques once used almost exclusively by governments and military to secure communications. At the time, encryption technology was restricted from export, and the author fought a long legal battle over his release of the product. While sophisticated in its encryption capabilities, PGP and more recent incarnations of similar techniques have suffered greatly from a lack of high-quality software implementations to make them user friendly and to automate the steps (such as “key signature”) to make them secure.
PGP and its descendants, however, are very secure when properly utilized. (See our prior post on this topic here). When Edward Snowden was considering making his controversial leak to journalists, he first anonymously contacted them and insisted that they install and learn PGP for communication. When Glen Greenwald balked, it is reported, Snowden took him through an online tutorial in PGP before providing any sensitive information.
Currently, the development of software for PGP-like encryption is largely in the hands of a dedicated but small cadre of volunteer open source developers and companies for which other products are much greater revenue sources.
If a company such as Facebook, or another of the tech industry giants, were to turn its attention, its massive user base and its readily available funding to developing a next generation of personal encryption software, as this latest announcement may signal, then Phil Zimmerman’s project to bring encryption to the masses could come to fruition.
Mass adoption of strong encryption such as PGP likely would have consequences that corporate counsel would see manifest in at least these areas:
- Political debate. If a much higher proportion of email is encrypted, it will intensify the political debate about encryption “back doors” and the circumstances under which information is made available for law enforcement and national security. (See our prior posts on this topic here and here).
- Internet business models. As more online communications become encrypted, there will have to be major shifts in the business models for companies that depend on targeted advertising and other revenue sources that require access to information about consumers. This could be very disruptive, for example, for search engine companies.
- Legal standards of confidentiality. As high-grade encryption becomes more available and easier to implement, the standards of what is considered “reasonable” in maintaining confidentiality necessarily will shift with common practice. This will have a profound impact on both the practice of law and the advice lawyers give about the necessary steps to secure information in a wide variety of contexts.