CEO Insider

Cracks in privacy regulations force consumers to pick up the slack

End-to-end encryption is more than a buzzword floating about. It has serious effects on user privacy in a world where messaging platforms are a standard part of everyday life. Encryption prevents conversations from being surveilled by the messaging platform, sold to third- parties for monetary gain, or from being exposed in the event of a company data breach. These are very important and essential attributes, so when privacy regulations, such as General Data Protection Regulation (GDPR), began popping up all across the globe, why didn’t messaging apps start making end-to-end encryption the default? To understand this, you must understand the cracks in current privacy regulations.

With the regulations very broadly laid out, it allows for them to be interpreted in different ways. Within GDPR, the neighborhood shop has the same set of obligations as the largest tech company, and this obviously creates many different interpretations. It is up to the entities that are required to comply to decide how they will do so. If the regulation or law is being applied across multiple countries, the way GDPR is in the EU, the regulations will also have different ways of being enforced. Germany, for example, has adopted additional privacy laws to comply with GDPR under the Federal Data Protection Act (FDPA). Therefore, German corporations have to adhere to stricter regulations. With all the different regulations, and interpretations comes a lot of information. This leads to privacy policies becoming very long, which has resulted in many users simply agreeing to terms without reading them through.

In addition to GDPR in Europe, other notable laws are the California Consumer Privacy Act (CCPA) in California, General Personal Data Protection Law (LGPD) in Brazil, and Protection of Personal Information Act (POPI) in South Africa. Each set of regulations has nuances that fit within their own culture, but one common thread throughout all of them is that no regional privacy regulation obligates the use of end-to-end encryption by companies. It is purely up to the messaging platforms if they chose to implement it. Although the regulations have immensely improved the protection of user data from being collected and shared, there are still cracks within the laws that are beginning to show.

Governments push back against end-to-end encryption

If privacy regulations have obvious cracks in what data can be accessed, then why isn’t it mandatory to have end-to-end encryption as the default setting on all messaging platforms? This may be because external sources have more influence than you may realize. Some leaders in big tech corporations are ex-government officials, making it unsurprising why encryption isn’t an option.

In the past, UK corporations have bent their privacy stances in order to comply with government officials. In 2021, to appease US government agencies in their desire to implement protections for children, Apple compromised on end-to-end encryption to allow monitoring of users’ iCloud accounts. Apple had originally planned to fully encrypt its backups. However, it received complaints from the FBI, and the plan was dropped completely.

Some governments oppose end-to-end encryption and have put pressure on communications platforms to avoid it for surveillance and security purposes. Many countries’ privacy laws allow for the exclusion of obligations when it comes to processing by governments and security authorities. The government and the media sometimes promote these regulations under the guise of privacy, when in all actuality, these regulations ensure the government can access citizen data. Australian privacy regulations have three features that allow the requesting of data collected by companies, even on encrypted messages. If messages can be decrypted for governments, then this compromises the encryption for all.

The pushback from governments comes from their desire to monitor data to protect children’s internet safety and to uncover and deter drug trafficking. However, if an app allows access to all of its data, that opens it up for everyone else to access as well. Less democratic governments could mimic these regulations, resulting in individual freedoms being diminished. If a Western regulation obliges global companies to be able to break end-to-end encryption, then non-democratic countries may require it as well. It becomes a fine line between helping and hurting.

Non-encrypted platforms don’t protect against crime

Non-encrypted platforms may have the perception that giving the government access to users’ personal data, will help prevent crime, however, it could potentially give criminals access to the same information. Hackers and rogue players are continually improving their abilities to breach personal data and exploit it by either selling it into the wrong hands or using it for fraud and other criminal activity. If the data isn’t accessible at all, the risk of any sort of breach is removed entirely. Therefore, companies should continue to invest in protecting personal data and minimizing the amount of personal data they hold internally. Developing laws continue to take steps in the right direction with the Digital Service Act (DSA) which amongst other obligations, will prevent platforms, like Google, Amazon, and the Meta-owned Facebook, from using sensitive information for targeted ads.

Messaging apps are not intended to serve criminals, but in today’s world, criminals have many means of communication beyond messaging platforms. The communication for a terror attack in London was handled through drafts in a shared email account. Criminal organizations can, without too much effort, even create a messaging app of their own. The truth is, criminals will find ways to be criminals, and stripping the privacy of other users won’t change that.

Crime can still be prevented even with end-to-end encrypted messages, as the victim can consensually share their communication directly with the authorities. When the criminal is detained and their device is confiscated, the authorities could gain access to the encrypted communications that way, as well. End-to-end encryption can still be applied, and authorities can use other methods to fight crime. 

The future is encryption

Unfortunately, it doesn’t look like end-to-end encryption will be incorporated into global privacy regulations anytime soon for a number of reasons. Firstly, current privacy regulations don’t implement exact methods for protecting personal data, but just a general rule, which is open for interpretation. Having no specific checklist leaves many corporations skirting the line of what’s allowed. Secondly, government officials are still interested in having access to personal data, whether it is for safety or criminal defense.

For now, the responsibility of being end-to-end encrypted falls with the providers of messaging apps and the consumers opting to use those services. With more consumers pushing the providers of messaging platforms to offer it by default, this will severely reduce sensitive personal data from falling into the wrong hands, and consumers will limit the risk of their personal conversations being exposed or exploited by malicious players or used for profit. 

Until we reach a point where end-to-end encryption is incorporated into our privacy laws, consumer education will be key in the progress of privacy protection. Many consumers do not make an informed decision as to which service to use, but only care when it’s too late and their data has been breached. The hope is that, with time, the future of privacy regulations will be end-to-end encryption as the default setting for everyone.

Authored by Idit Arad.

Have you read?

Best CEOs In the World Of 2022.
TOP Citizenship by Investment Programs, 2022.
Top Residence by Investment Programs, 2022.
Global Passport Ranking, 2022.
The World’s Richest People (Top 100 Billionaires, 2022).
# Satya Nadella: The most successful CEO of the Tech industry.

Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Thank you for supporting our journalism. Subscribe here.
For media queries, please contact:
Idit Arad
Idit Arad is General Counsel for Rakuten Viber, leading the company's legal, compliance, and government relations functions across all jurisdictions and serving as the company's "privacy guardian." She has extensive in-house legal experience working as a commercial and data protection lawyer, focusing on the tech industry. Idit also holds a law degree from the Hebrew University as well as a privacy CIPP/E certification.

Idit Arad is an opinion columnist for the CEOWORLD magazine. You can follow her on LinkedIn.