We followed up with Leonid Grinberg, ASAL’s own former Editor-in-Chief to discuss his new note, slated for publication in Volume 74 Issue 1.
What have you been up to since graduating? What’s your day-to-day like?
I am a law clerk on the United States District Court for the Eastern District of New York. My judge occasionally sits by designation on the Court of Appeals for the Ninth Circuit, so I get to do some appellate work as well. A lot more stuff ends up in federal court than you might think! My job is to summarize the cases for the judge. Sometimes I’ll draft opinions and briefs, which involves lots of legal research. Mostly, my job is to make the best argument to the judge so that he can be in the best position to make the final decision.
How has being an editor-in-chief (EIC) at ASAL helped your day-to-day at your clerkship?
The legal research and note writing I did as a law student is quite similar to what I do now. I am often the first person to read the briefs, research, and write a bench memo in which I summarize the record. As an editor at ASAL, I was more involved in editorial work than I am now, but still, when writing an opinion, I feel obliged to create coherent and nice-looking documents.
Being Editor-in-Chief was management-heavy, which I don’t do a whole lot of as a law clerk, but I think that the managing experience helped me learn how to multitask.
Also, as EIC, we dedicated a volume of the journal to Chief Judge Katzmann, and I had the opportunity to work closely with him. That experience boosted my confidence, especially when it comes to working with my judge now.
Your article is called “End-to-End Authentication: A First Amendment Hook to the Encryption Debate.” What caused you to be interested in writing about end to end encryption?
I have a computer science degree from MIT, and as an ASPIRE scholar at NYU Law, I had to do some work in the cyber law space. One of the requirements was to have a substantial research project, which is where this note came in!
Most engineers are skeptical of lawyers when they talk about encryption, probably because lawyers often don’t understand enough about the technical details of how it works. My aim was to make the technical background as accessible as possible, while making sure not to introduce distortions that can lead to misunderstandings. I also wanted to talk about something other than the Fourth Amendment, which lots of other people have written about. The First Amendment angle is a bit different, and it’s not often discussed in the encryption context.
Tell me about this First Amendment aspect of end-to-end encryption.
My article focuses on two First Amendment issues. The first is that consumer messaging services that offer end-to-end encryption rely on the service providers (e.g., Apple or Facebook) to maintain a directory of “encryption keys” for each user. The encryption is only secure if the providers honestly match users to their keys. Some people worry that the government could order a service provider to provide a key that the government controls but say that it’s a user’s key. This would enable the government to read messages sent to that user, or send its own messages that look like they were written by the user. My article explores the First Amendment rights of a service provider faced with an order like that.
The second issue is about the users’ First Amendment rights. As my article explains, encryption and authentication are deeply tied together in these services: if you can read a user’s messages, you can send messages that look like the user wrote them. So if the government does that—if it, in effect, impersonates a user—has that person’s free speech rights been violated? I conclude that current First Amendment doctrine does not cover that situation, but suggest that maybe it should.
Is this something that the average person should actually be concerned about?
So first, I would say that whether or not you care at all depends on your personal values. Some people feel like they have nothing to hide and don’t value privacy very much. Others care about privacy inherently, whether or not they have something to hide. I think both perspectives makes sense.
For those that do care, I think it’s worth realizing that security and privacy are a matter of resources. If someone puts more resources into reading your messages than you put into protecting them, that person will win. The government has more resources than you do, so if they care enough, they will always win.
That said, the average person is, statistically speaking, not a target. But if you care about privacy, you should care for a couple of reasons. First, the technique my paper talks about is very low-resource for the government, including cash-strapped state law enforcement. Thus, it makes it comparatively easy to target a large number of people. Second, privacy is a matter of degree. Our modern world makes it really hard to stay truly private: just by looking at our public acts—what we buy, when we buy it, where we go, how we get there—it is really easy for someone to paint a pretty detailed picture of who we are. Many of us are willing to accept the comforts of modern life in exchange for that loss of privacy. But even those of us that do might still assume that some things we say in one-on-one conversations remain hidden. The point of this paper is that that assumption might be incorrect.