Journal of Intellectual Property Law


Lawyers wishing to exercise a meaningful degree of leadership at the intersection of technology and the law could benefit greatly from a deep understanding of the use and application of encryption, considering it arises in so many legal scenarios. For example, in FTC v. Wyndham1 the defendant failed to implement nearly every conceivable cybersecurity control, including lack of encryption for stored data, resulting in multiple data breaches and a consequent FTC enforcement action for unfair and deceptive practices. Other examples of legal issues requiring use of encryption and other technology concepts include compliance with security requirements of GLBA & HIPAA, encryption safe harbors relative to state data breach notification laws and the CCPA, the NYDFS Cybersecurity Regulation, and PCI standards. Further, some policy discussions have taken place in 2020 regarding encrypted DNS over HTTPS, and lawyers would certainly seem to benefit from a better understanding of relevant encryption concepts to assess the privacy effectiveness of emerging encryption technologies, such as encrypted DNS. Finally, the need for technology education for lawyers is evidenced by North Carolina and Florida requiring one or more hours in technology CLE and New York in 2020 moving toward required CLE in the area of cybersecurity specifically.

This article observes that there is a continuing desire for strong encryption mechanisms to advance the privacy interests of civilians’ online activities/communications (e.g., messages or web browsing). Law enforcement advocates for a “front door,” requiring tech platforms to maintain a decryption mechanism for online data, which they must produce upon the government providing a warrant. However, privacy advocates may encourage warrant-proof encryption mechanisms where tech platforms remove their ability to ever decrypt. This extreme pro-privacy position could be supported based on viewing privacy interests under a lens such as Blackstone’s ratio. Just as the Blackstone ratio principle favors constitutional protections that allow ten guilty people to go free rather than allowing one innocent person suffer, individual privacy rights could arguably favor fairly unsurveillable encrypted communications at the risk of not detecting various criminal activity. However, given that the internet can support large-scale good or evil activity, law enforcement continues to express a desire for a front door required by legislation and subject to suitable privacy safeguards, striking a balance between strong privacy versus law enforcement’s need to investigate serious crimes. In the last few decades, law enforcement appears to have lost the debate for various reasons, but the debate will likely continue for years to come.

For attorneys to exercise meaningful leadership in evaluating the strength of encryption technologies relative to privacy rights, attorneys must generally understand encryption principles, how these principles are applied to data at rest (e.g., local encryption), and how they operate with respect to data in transit. Therefore, this article first explores encryption concepts primarily with regard to data at rest and then with regard to data in transit, exploring some general networking protocols as context for understanding how encryption can applied to data in transit, protecting the data payload of a packet and/or the routing/header information (i.e., the “from” and “to” field) of the packet.

Part 1 of this article briefly explores the need for lawyers to understand encryption. Part 2 provides a mostly technical discussion of encryption concepts, with some legal concepts injected therein. Finally, Part 3 provides some high level legal discussion relevant to encryption (including arguments for and against law enforcement’s desire for a front door). To facilitate understanding for a non-technical legal audience, I include a variety of physical world analogies throughout (e.g., postal analogies and the like).