Here’s What Congress Needs to Know Wading into Encryption

Today, House Judiciary Committee lawmakers will get their first opportunity to delve into the complex issues presented by what’s become known as “the Apple case.” As these policymakers examine the implications of encryption technology, we hope they will keep the following five points in mind.

First, the women and men who work for U.S. technology companies abhor crime and terrorism. They work each day to protect the citizens of the United States and people across the globe from data crime and physical harm alike by building security into their products, by innovating new products that may deter crime, by removing extremist content from social media platforms and amplifying anti-extremist content, and by cooperating with law enforcement requests when capable and when the requests are made under proper legal service. For anyone to suggest that the tech industry “will advance the best interests of their shareholders” rather than the best interests of our children, our family, our friends, and our neighbors is to unfairly demagogue our integrity and demonstrates a fundamental misunderstanding of the spirit of the tech industry and what motivates us.

Second, the debate playing out today has been painted as a debate about privacy versus security but encryption is first and foremost a security tool. We rely on this technology to prevent criminals from stealing the contents of our bank accounts, to thwart would-be hackers from seizing control of our cars and airplanes, to protect the industrial controls maintaining our critical grid such as nuclear power plants and water supply networks, and to guard against tampering with industrial manufacturing systems for sectors such as pharmaceuticals and chemicals. Encryption also shields privacy in a way that secures us. For instance, encryption shields the feeds from wi-fi enabled baby monitors from the prying eyes of predators, or the GPS history on the phones of domestic violence victims or children, protecting them from abusers. And according to Federal Trade Commission (FTC) Commissioner Terrell McSweeny, “[t]he impact of major breaches may also be reduced the more that users' data and communications are encrypted end-to-end.” As the voice of the tech sector, it bears ITI repeating that we deeply appreciate law enforcement's and the national security community’s work to protect us, but weakening encryption or creating backdoors to encrypted devices and data would almost certainly cause serious physical and financial harm across our society and our economy.

Third, some have tried to paint the tech industry’s motivation in using encryption as one of profit but protecting our customers’ interests is not just our objective – it’s our obligation. While it’s true that what’s good for consumers is good for our bottom line, the fact is that as an industry we almost entirely fall under the jurisdiction of the FTC, which means we are subject to enforcement should we fail to employ reasonable protections to safeguard our customers’ information. One reasonable method of protection recommended by the FTC in its Start with Security: A Guide for Business is “strong cryptography to secure confidential material during storage and transmission.” Reviewing the FTC’s data security enforcement cases reveals multiple instances where encryption should have been used to protect consumer data. It’s worth noting that beyond the FTC, other sectors of the Federal government agree encryption is a critical cybersecurity tool. After the Office of Personnel and Management revealed this past summer that the databases holding tens of millions of individuals’ personal information were not protected by encryption, federal agencies are strengthening their cyber defenses. The Department of Defense, for instance, is spending over half-a-billion dollars for a new security clearance system that will rely on strong encryption protections. And until they removed a page on their website last year, even the FBI encouraged the use of encryption on phones and other devices ‘to protect user’s data.’

Fourth, just like any other technology, what was state of the art in 2012 is no longer state of the art today. Evolving technology responds to evolving threats and we are in a constant arms race to protect information and networks from hackers. To protect our customers from would-be evildoers, we race to stay one step ahead; today, that step ahead is client-side encryption. Mandating that companies move backwards in the fight against wrong-doers – whether they are cyber gangs or cyber savvy stalkers and even rogue nations – simply doesn’t make sense.

Lastly, the issues law enforcement encounters when faced with an encrypted device or product are not unique to the United States. Encryption is simply math (though not simple math, to be sure), and math is universal. A recent survey by Bruce Schneier, a fellow at Harvard’s Berkman Center for Internet & Society, demonstrates this very fact: of the 619 entities Schneier identified as selling encrypted products, more than 65 percent are based outside of the U.S., and of the products offered by the non-U.S. companies, nearly half are available for free. Restricting encryption technology in the U.S. will not make the technology unavailable, but it will make it an economic boon for those foreign entities.

We know the issue at hand is complex and carries with it implications for security, privacy, and innovation. At the heart of the matter is the fact that weak encryption leaves all persons vulnerable to breaches of privacy and cybercrime and our country and economy at greater risk of harm.

Public Policy Tags: Cybersecurity, Data & Privacy