Two years ago it was revealed that the National Security Agency had for some time been engaging in untargeted, bulk data collection of Americans’ communications. Since that time, consumers, developers, and Congress have all become more attuned to the idea of Internet privacy and data collection. Congress convened hearings to explore the idea of both consumer privacy and national security. On April 29, 2015, the House Information Technology Subcommittee held an important hearing examining end-to-end encryption technologies and their effects on developers, consumers and law enforcement.
Testifying before the Subcommittee, the Application Developers Alliance explained how calls from law enforcement and national security agencies for access to apps through built-in “backdoors” would create uncertainty for businesses, and perpetuate consumer mistrust. Consumers demand the apps they use are secure—and their most personal and sensitive data is protected. Developers, who continue to make every effort to meet these market demands, receive mixed messages from various government agencies.
At times, the Federal Trade Commission, state attorneys general, the Federal Bureau of Investigation, and even President Obama’s Review Group on Intelligence and Communications Technologies have all recommended the use of end-to-end encryption technologies. Unfortunately, there are still law enforcement agencies asking developers to grant law enforcement and national security agencies special access to consumers’ information and communications through built-in backdoors, and to refrain from using end-to-end encryption.
Uninhibited collection of personal data by governments is unacceptable to developers and their customers. Consumer trust is paramount in the app industry and this surveillance damages our entire industry, undermining app developers everywhere. The Application Developers Alliance supports efforts to employ end-to-end encryption to safeguard consumers’ privacy. Built-in backdoors—even if intended for “the good guys”—present enormous threats and are particularly burdensome for small startups. The Alliance believes that efforts to prevent implementation of end-to-end encryption or require built in “backdoors” are:
• A threat to innovation. Developers whipsawed by the government’s mixed messages may be paralyzed in product development, launches, and implementation of cutting-edge security protocols, as they are left to wonder which government agency they should be listening to regarding whether to implement encryption.
• A threat to economic growth. Developers are in a race to attract customers all over the world. By granting government agencies unfettered access through backdoors in apps, other countries with more stringent privacy laws could ban American apps from doing business within their borders.
• A threat to consumer trust. Consumers rightfully expect their communications and data to be private and secure when purchasing or using apps. Since our sector’s inception just a decade ago, developers have prioritized the security and handling of their consumers’ data because they know that good data stewardship is critical to business success. Backdoors undermine the trust companies work hard to achieve.
• A threat for bad actors to use the backdoor. Any opening in security—whether intended only for “the good guys”—creates a vulnerable access point for hackers, thieves, and foreign governments to exploit.
One of the legislators at April’s hearing was the chairman of the House Information Technology Subcommittee, Representative Will Hurd (R-TX). We caught up with Chairman Hurd to discuss his support of end-to-end encryption and opposition to backdoors.
Application Developers Alliance: You come at this issue from a unique perspective. You majored in computer science in college and worked for the CIA before being elected to Congress. How have these experiences helped to inform your views on the privacy issues we are tackling today?
Chairman Hurd: My degree in computer science and time in the CIA as an intelligence officer certainly helped shape the way I think about these kinds of issues. I also spent many years in the private sector as Senior Advisor with a cybersecurity firm and as a partner at a strategic advisory firm helping businesses expand into international markets. All of these experiences gave me a wide-ranging insight into private sector views on technology issues, which I draw upon on a daily basis. Congress is attempting to legislate the most rapidly-changing industry in the world with yesterday’s solutions. We must alter our approach and make sure Members are educated on these issues.
Application Developers Alliance: In your opening statement during April’s hearing, you said you believe “we can find a way to protect the privacy of law-abiding citizens and ensure that law enforcement has the tools needed to catch the bad guys.” Aside from hearings that bring attention to the issue, how do you see Congress balancing these two concerns as it relates to backdoors? How can Congress help further this conversation and advance consumer privacy, American companies’ business opportunities, and limit opportunities for technology to be misused?
Chairman Hurd: For members of Congress, it’s ensuring we don’t take knee-jerk reactions to real problems. The info-sharing bills the House passed were years in the making and took multiple Congress’ to get done. I believe these bills are a great starting point and I was glad to have a hand in their development.
Too often, members try to put Band-Aids on wounds that need stitches, or vice versa. We need to engage the private sector as much as possible, because they’re the ones who have to live with the legislative fixes that Congress and the President enact.
Application Developers Alliance: For 15 consecutive years, identity theft has been the number one consumer complaint to the FTC and consumers frequently read about data breaches in the news. How can privacy-enhancing tools like encryption protect consumers and businesses?
Chairman Hurd: I believe this question hits the nail on the head. End-to-end encryption is actually one of the best privacy-enhancing tools we have. We learned recently the Office of Personnel Management did not encrypt the PII data it held on millions of Americans. The result is one of the most devastating cyberattacks this country has ever experienced. Millions of Americans are going to spend the rest of their lives worried about who has their data and what they are doing with it. That may have been avoidable had OPM simply encrypted the data.
In the private sector, companies large and small face a daily barrage of cyberattacks. For determined and resourceful adversaries, the question is not if, but when they will breach your network. If you begin with the presumption of breach, which is a cybersecurity best practice, one of the first things you are going to want to do is encrypt the data you have stored on your network. There really is no excuse for not doing so.
Application Developers Alliance: Law enforcement proposed a supposed alternative to backdoors that would require technologies to create a digital key that could open locked devices. But is this a back door by any other name? Is a backdoor truly secure against cyber thieves and criminals who seek to breach secure technologies?
Chairman Hurd: Cryptographers and experts in this field have overwhelmingly rejected the idea of a special law enforcement digital key. A digital key is simply another clever name for a backdoor. A backdoor is a vulnerability—no matter how the backdoor is designed or who it is designed for. And vulnerabilities can and will be exploited. To me, it’s simple math.
Application Developers Alliance: Opponents of encryption, often those in law enforcement circles, say encryption would stifle investigations and threaten our safety. How would you respond?
Chairman Hurd: I have been working diligently on this issue for over half a year. I still have not heard one compelling argument from the law enforcement community that leads me to believe their hands would be tied by end-to-end encryption. The DOJ just recently released a report in which it identified only four cases in which encryption foiled a wiretap. Witnesses at our subcommittee hearing earlier this year were unable to give concrete examples of when encryption had stopped an investigation.
In our digital age, law enforcement today has many tools at its disposal to investigate crimes and protect law abiding citizens that were unthinkable even a decade ago. We didn’t ban paper and fire because criminals could use these tools to further their interests and avoid law enforcement detection. It would be equally foolish to ban strong default encryption.
Application Developers Alliance: On a global scale, is it reasonable to expect other countries, upon learning that law enforcement agencies in the United States are requesting built-in backdoors, to follow our lead and require the same of their own developers?
Chairman Hurd: If the U.S. ever mandated backdoors to be built into devices and communication applications, I believe countries around the globe will immediately use the U.S. as an example to justify similar laws and regulations. The frightening part is that not all other countries tend to have the same respect for the rule of law and due process that we do.
Mandating a backdoor would set a horrible precedent and would have severe negative geopolitical consequences. Every country would want their-own backdoor and corrupt nation-states would use them oppressively.
Application Developers Alliance: What is at stake without widespread adoption of end-to-end encryption?
Chairman Hurd: America has always been a worldwide leader in innovation. We have also always been the global trendsetter when it comes to protecting digital freedoms. As I’ve mentioned before, we can find a way to balance both of these.
I have great respect for the FBI and our intelligence gathering organizations. Their work is some of the most difficult in the world. Trust me, as a former CIA officer, I understand where they are coming from. It’s a dangerous world and we have asked them to protect us.
However, I firmly believe the FBI is wrong on this one. In fact, I still have not heard the FBI clearly describe what they are asking for. They should abandon their misguided attempt to convince Congress and the public and U.S. technology companies to weaken encryption.
Geoff Lane
Policy and Government Relations Manager