Two years ago it was revealed that the National Security Agency had for some time been engaging in untargeted, bulk data collection of Americans’ communications. Since that time, consumers, developers, and Congress have all become more attuned to the idea of Internet privacy and data collection. Congress convened hearings to explore the idea of both consumer privacy and national security. On April 29, 2015, the House Information Technology Subcommittee held an important hearing examining end-to-end encryption technologies and their effects on developers, consumers and law enforcement.
Testifying before the Subcommittee, the Application Developers Alliance explained how calls from law enforcement and national security agencies for access to apps through built-in “backdoors” would create uncertainty for businesses, and perpetuate consumer mistrust. Consumers demand the apps they use are secure—and their most personal and sensitive data is protected. Developers, who continue to make every effort to meet these market demands, receive mixed messages from various government agencies.
At times, the Federal Trade Commission, state attorneys general, the Federal Bureau of Investigation, and even President Obama’s Review Group on Intelligence and Communications Technologies have all recommended the use of end-to-end encryption technologies. Unfortunately, there are still law enforcement agencies asking developers to grant law enforcement and national security agencies special access to consumers’ information and communications through built-in backdoors, and to refrain from using end-to-end encryption.
Uninhibited collection of personal data by governments is unacceptable to developers and their customers. Consumer trust is paramount in the app industry and this surveillance damages our entire industry, undermining app developers everywhere. The Application Developers Alliance supports efforts to employ end-to-end encryption to safeguard consumers’ privacy. Built-in backdoors—even if intended for “the good guys”—present enormous threats and are particularly burdensome for small startups. The Alliance believes that efforts to prevent implementation of end-to-end encryption or require built in “backdoors” are:
• A threat to innovation. Developers whipsawed by the government’s mixed messages may be paralyzed in product development, launches, and implementation of cutting-edge security protocols, as they are left to wonder which government agency they should be listening to regarding whether to implement encryption.
• A threat to economic growth. Developers are in a race to attract customers all over the world. By granting government agencies unfettered access through backdoors in apps, other countries with more stringent privacy laws could ban American apps from doing business within their borders.
• A threat to consumer trust. Consumers rightfully expect their communications and data to be private and secure when purchasing or using apps. Since our sector’s inception just a decade ago, developers have prioritized the security and handling of their consumers’ data because they know that good data stewardship is critical to business success. Backdoors undermine the trust companies work hard to achieve.
• A threat for bad actors to use the backdoor. Any opening in security—whether intended only for “the good guys”—creates a vulnerable access point for hackers, thieves, and foreign governments to exploit.
One of the legislators at April’s hearing was Representative Ted Lieu (D-CA). We caught up with Congressman Lieu to discuss his support of end-to-end encryption and opposition to backdoors.
Application Developers Alliance: You come at this issue from a unique perspective. You majored in computer science in college and currently serve in the Air Force Reserves. How have these experiences helped to inform your views on the privacy issues we are tackling today?
Representative Lieu: I like to say that if I can survive taking CS 240—Advanced Topics in Operating Systems—in college, I can tackle any complex national policy issue. But in all seriousness, as one of four computer science majors serving in the Congress, I have noticed a lack of technological expertise on Capitol Hill at a time when we’re seeing technology increasingly intertwined into every aspect of our lives. There are a number of people who are working to bridge those knowledge gaps and I hope to be part of that effort. When we look at issues like cybersecurity, for example, I believe my computer science education and my experience as an officer in the U.S. Air Force give me a unique perspective on what’s technologically feasible, and how we can balance the need to safeguard our privacy with the need to protect our homeland security.
Application Developers Alliance: During the Information Technology Subcommittee hearing in April you mentioned the increase in encryption adoption being market-driven. Specifically, you stated:
“Why do you think Apple and Google are doing this? [Encryption adoption] is because the public is demanding it, people like me, privacy advocates, a public that doesn’t want an out-of-control surveillance state. It is the public asking for this. Apple and Google didn’t do this because they thought they would make less money. This is a private sector response to government overreach.”
Aside from bringing attention to the issue, what role should Congress play—whether through agency oversight, legislation, or other means?
Representative Lieu: I believe Congress is a force for good. But we are not nimble and laws are often not nuanced. Technology, on the other hand, changes rapidly and can be quite complex.
Congress can and should debate issues related to technology, such as encryption. But we need to make sure we do not stifle innovation and always be mindful of the law of unintended consequences. Specifically in the area of encryption, I encourage solutions that protect privacy and keep American products competitive abroad. I oppose law enforcement efforts to weaken encryption.
Conducting oversight through public hearings allows Congress to focus attention on input and solutions from the experts who know these technologies inside and out, including those in the industry who track what consumers want. We can also work with advocates and the media to educate the public on the risks presented by bad policy. Perhaps most importantly, Congress has the power of the purse. I was a co-sponsor of several successful amendments to prohibit federal funds from being spent to develop backdoor encryption mandates or support intrusive and illegal NSA mass data collection programs. Our job is to use every tool at our disposal to serve the interests of our constituents.
Application Developers Alliance: For 15 consecutive years, identity theft has been the number one consumer complaint to the FTC and consumers frequently read about data breaches in the news. How can privacy-enhancing tools like encryption protect consumers and businesses?
Representative Lieu: Privacy enhancing tools like multifactor authentication and encryption solutions can enable applications providers to offer more options to protect sensitive, personally identifiable information. These tools can inspire greater consumer trust, whether that consumer is an individual or a business.
Application Developers Alliance: Law enforcement proposed a supposed alternative to backdoors that would require technologies to create a digital key that could open locked devices. But is this a back door by any other name? Is a backdoor truly secure against cyber thieves and criminals who seek to breach secure technologies?
Representative Lieu: Whether you call it a front door, a back door, or a trap door, deliberately creating vulnerabilities in an otherwise secure system is a technologically stupid idea. As I have pointed out before, code is neutral. It doesn’t know whether the person accessing the back door is an FBI agent, a hacker, or a terrorist. A vulnerability that can be accessed for lawful means can also be exploited for unlawful means and I have yet to hear anyone in the law enforcement community offer any assurances otherwise.
The massive data breaches at the Office of Personnel Management highlight the fact that if government can't even protect the most sensitive national security data from hackers, what confidence do we have that government can protect a database of digital keys that could unlock millions of cell phones?
Application Developers Alliance: Opponents of encryption, often those in law enforcement circles, say that encryption would stifle investigations and threaten our safety. How would you respond?
Representative Lieu: Our country has been wrestling with the proper balance between individual privacy and national security since its founding and the passage of the Fourth Amendment. I appreciate the challenges the law enforcement community faces with new encryption technology, but there is no technological middle ground—either we create a backdoor anyone can potentially access, or we have secure digital privacy. A free society that treasures privacy does make law enforcement's job more difficult. But that is a better alternative than an Orwellian system where everyone has far less freedom and privacy. Advocates for a backdoor also have yet to answer how they would address market-realities. End-to-end encryption will continue whether the technology is produced in the United States or elsewhere. Mandating backdoor access in American products would simply encourage people concerned about secure communications to purchase foreign products or applications—and it would come at an immense price to us domestically.
I also find it odd when law enforcement argues that encryption promotes crime and terrorism. If that is the frame, then there are lots of products that promote crime and terrorism, including paper shredders. Can a paper shredder be used to destroy evidence and conceal terrorist writings? Absolutely. Should we get rid of paper shredders to help law enforcement? Absolutely not. One reason is because paper shredders, like encryption, serve other very useful purposes, such as the protection of sensitive information.
Application Developers Alliance: What is at stake without widespread adoption of end-to-end encryption?
Representative Lieu: End-to-end encryption is just one example of innovation inspired by customer demand for secure communications. Unless there is a danger to the public through faulty products, I don’t believe that innovation and privacy rights under the Constitution should be undermined or discouraged for law enforcement's convenience.
Join Representative Ted Lieu for Lunch!
In Santa Monica, CA on August 18th, the Application Developers Alliance is hosting a special lunch event with Representative Ted Lieu to discuss key issues that impact your app business. Can't make it? Don't worry, we're recording the discussion for on demand viewing.
Join in the conversation and tweet questions ahead of the event to @AppsAlliance #LieuChat.
Policy and Government Relations Manager