A path forward for the encryption debate

We’ve reached a deadlock in the encryption debate. It’s a complicated, passionate issue. People are talking past one another and proposals have fallen flat. FBI Director James Comey has called for an adult conversation about encryption and all sides should take him at his word.

The problem with trying to have such a conversation is that the loudest voices – even Director Comey – demand solutions, but they aren’t willing to talk about what those solutions entail. They aren’t willing to have a discussion focused on the hard questions.

{mosads}We’ve seen this debate before, with little progress. The media reports the news of a tragic event, and before the investigation can begin, law enforcement points to the evils of encryption. Right after that, others fire back about how the cops don’t understand technology.

That’s not a discussion; it’s a battle of buzzwords.

In order to move forward, we need a lens that allows all sides of the issue to be considered, something that enables the examination of all perspectives. That is why our companies, the leaders of the global software industry, have come together to develop a set of principles that will enable legislators to evaluate encryption proposals in a balanced way.

We have to get this conversation right. Consumers expect their data to be secure even when confronted with constantly evolving threats: More than half a billion personal information records were reported as lost or stolen last year, and ransomware attacks grew by thirty-five percent. Encryption is essential to defend against increasingly sophisticated hackers and cyber threats. Cybersecurity is a cornerstone of our connected societies. It safeguards everything from global transportation and financial systems, to manufacturing and agriculture, to our power grids and clean water supply.

Because encryption protects us in so many ways, it is important that technology policies around the world do not mandate built-in flaws that would undermine its effectiveness. Weakening encryption by requiring companies to intentionally undermine the integrity and the security of their products and services will eventually lead to less security for our society as a whole. Compromised encryption may help law enforcement investigate specific crimes, but it can also make the internet and our lives much less secure. There is no way to weaken encryption only for law enforcement. Mandated weak encryption lowers our defenses in every sector that depends on software. And today, every sector depends on software.

Regrettably, the current encryption debate is perceived as a zero-sum game. It doesn’t have to be. The first step toward a productive dialogue is to find common ground: Security is an incredibly important concern, but law enforcement officials have to acknowledge that backdoors and key escrow proposals will make us all less safe. Encryption is fundamental to digital security, but tech experts just can’t walk away from questions about how to go after criminals and terrorists who use digital tools and attempt to shield their crimes through encryption.

The right encryption solution will address the needs and responsibilities of all sides. In the spirit of finding and maintaining this balance, the software industry has come up with a set of principles against which any new encryption proposal should be tested.

These principles address the need for governments to protect sensitive information while preventing and prosecuting terrorist and criminal acts; the right of individual citizens to security for their personal information; and the responsibility of providers of critical infrastructure and essential services – including water, electricity, transportation, banking, and health — to protect their operations from cyberattacks. They also include the need for third-party stewards of sensitive personal data and valuable commercial information to protect the data entrusted to them, and for innovators to have the freedom to develop products and services that improve our daily lives and drive economic growth without government mandates.

Looking at solutions is the next step. This isn’t the final answer, but the beginning of a respectful discussion. Software companies have taken our seat at the table, and it is time for others to join.

Victoria A. Espinel is President and CEO of BSA | The Software Alliance.