Even the U.S. imposes certain requirements on certain service providers, but design mandates must be narrowly crafted, must recognize and protect the public value of secure communications, and, tying back to the first point, must be transparent.
And third, companies, advocates, and policymakers should insist on appropriate legal process for any governmental access to users' communications; in other words, no snooping without a just cause. And companies making deals with governments to gain market access should be thinking about advancing user privacy rights and the rule of law as much as possible.
Companies are reluctant to be more transparent when it comes to shedding light on negotiations with governments. After all, one doesn't want to give terrorists a blueprint for shielding their own communications. But the relationships between governments and service providers need to be more open. That is true not only in the UAE but also in Europe, the U.S., and the rest of the world.
UAE officials argue they aren't asking for anything that service providers aren't already providing access to in the U.S. The UAE points to the mandates in the U.S. Communications Assistance to Law Enforcement Act (CALEA), which requires telecommunications carriers to build into their networks an easy way for law enforcement agencies to listen in.
Although CALEA has some flaws, it is just the opposite of what we're seeing in demands made by the UAE and offers a much better approach to dealing with government demands.
CALEA is a democratically enacted law implemented by the Federal Communications Commission, whose decisions are in turn subject to judicial review. It is unlikely that the UAE provides equivalent checks and balances on government design demands.
In addition, CALEA specifically recognizes the importance of unbreakable encryption to both commerce and human rights: CALEA includes a provision expressly stating that the Act gives the US government no authority to require a telecommunications carrier to design its encryption in such a way that the government can decrypt communications.
When assessing the robustness of civil liberties protections, the other important component is the underlying standard and process that controls government authority to use those design features in the lawful interception of someone's communications.
In the U.S. and most other democracies, law enforcement agencies have to get a court order—based on probable cause and targeting a particular person—to eavesdrop on someone's conversations. That goes for national security concerns, too. While I'm no expert in UAE law, I have serious doubts that the Emirates have a truly independent judiciary or an equivalent system of checks and balances.
Not to imply that users and companies operating in the U.S. (or the EU) should be without concern: In the aftermath of 9/11, the U.S. and many other democratic allies rolled back protections on privacy and due process and engaged in activities such as warrantless wiretapping—activities that have provided countries like the UAE and China with the political cover to claim that their surveillance demands and practices were similar to those of the U.S.