by Nuno Menezes
The Compliance with Court Orders Act of 2016, released last week, proposed a new set of obligations which would force companies to allow access to sensitive information. Now, a joint force comprised of the Reform Government Surveillance, the Computer & Communications Industry Association, the Internet Infrastructure Coalition (I2C) and the Entertainment Software Association has replied to the draft bill.
The group wrote a letter to the sponsors, Chairman Richard Burr and Vice-Chairman Dianne Feinstein of the Select Committee on Intelligence, defending encryption as necessary in the protection of an individual’s data and the preservation of the free flow of information. The letter also expresses deep concerns about the unworkable policies around encryption that would weaken the very defenses it needs against people wanting to cause economic and physical harm. The group views encryption as critical to the safety of the nation’s (and the world’s) information technology infrastructure, and wants to avoid actions that will create government-mandated security vulnerabilities in encryption systems.
As member companies whose innovations help to drive the success and growth of the digital economy, we understand the need to protect our users’ physical safety and the safety of their most private information.
The letter goes on to explain that the design of systems and devices that include a variety of network- and device-based features, including but not limited to strong encryption, are only designed that way so that it can “protect users’ digital security in the face of threats from both criminals and governments.”
Any mandatory decryption requirement, such as that included in the discussion draft of the bill that you authored, will to lead to unintended consequences.
The group holds the position that the effect of excessive requirements will force companies to prioritize government access over other considerations, including digital security. As a result, companies “could be forced to make decisions that would create opportunities for exploitation by bad actors seeking to harm our customers and whom we all want to stop.”
The letter takes into consideration a permanent flaw that would be created by such obligations, saying that the bill would force those providing digital communication and storage to ensure that digital data can be easily obtained in “intelligible” form by a third party, meaning that the software would have to be built to allow some third party to potentially have access; that would be the flaw itself, since it could, in turn, be exploited by bad actors.
The group also remarks on the fact that once these obligations would have been required by the U.S., other governments would follow, creating a global scenario where privacy and security would become compromised.
The letter considers that a law passed by Congress trying to restrict the use of data security measures will not ultimately be successful, as it will only serve to push users to non-U.S. companies, “in turn undermining the global competitiveness of the technology industry in the U.S. and resulting in more and more data being stored in other countries.”
The group concludes by saying that it supports “making sure that law enforcement has the legal authorities, resources, and training it needs to solve crime, prevent terrorism, and protect the public,” but these enforcements should be carefully conducted so that it can preserve customers’ information and security.
It also invited further discussion of how to achieve that balance, and raised concerns about the efforts being made to prioritize one type of security over all others in a way that leads to unintended, negative consequences that can jeopardize the safety of its networks and customers.
The letter can be found here.