Governments today are faced with a difficult task as they seek to fulfill their responsibilities to protect and defend their national security interest and the human rights of their citizens online, including the rights to privacy and security. Addressing these challenges requires creative thinking by both public and private sector entities resulting in innovative policy solutions, cross-sector partnerships, and a delicate balance between stopping malicious actors while protecting civil liberties. The Cybersecurity Tech Accord and its signatories have been quick to applaud policies and initiatives aimed at achieving these goals and striking this balance, such as the U.K.’s recent release of its vulnerabilities “equities process.”
Unfortunately, other policy trends seem counterproductive, and have the potential to damage essential partnerships and complicate cybersecurity challenges in a narrow pursuit of immediate national security gains. This includes legislation that limits the right to privacy and freedom of expression, such as recent laws passed in Egypt and Vietnam, as well as implementing policies and practices that may weaken the security of technology products, disproportionate to expected “national security” benefits. The recent Australian Assistance and Access Bill 2018 is one such example.
The Bill seeks to address a very real and growing challenge – namely, how to uncover and deal with criminal behavior hidden by encrypted communications and other sophisticated technologies. However, irrespective of intent, it sets a concerning precedent as the approach taken could permit the government to not only compel companies to hand over user data, but also to issue “technical capability notices” requiring them to build capabilities to intercept secured communications.
Such capabilities can create vulnerabilities that enable cybercriminals or other actors to harm innocent users – a particular challenge if introduced in mass-market products. And while the position of the Australian government has been that the recent law expressly prohibits the introduction of so-called “systemic” vulnerabilities,[1] such terminology remains ill-defined and needs greater clarity and limitation in scope. Moreover, as we learn more about interconnectivity, even “contained” vulnerabilities could spread and have far-reaching consequences.
The Cybersecurity Tech Accord signatories believe that strong encryption of devices and services protects the privacy and data security of our users and customers, while also promoting free expression and the free flow of information around the world. As such, we see such moves as potentially inconsistent with our shared values and beliefs. Our principles commit us to “design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities,” as well as to “…protect against tampering with and exploitation of technology products and services…” and to “not help governments launch cyberattacks against innocent citizens and enterprises.” We respectively design and build technologies intended to be secure, reliable and to improve people’s lives and we should not be asked to act in ways that jeopardize that commitment.
To be clear, we are not dismissing the scale of the challenges we all face in this space. However, the response should not be to require companies to compromise the integrity of their products and services. Doing so could put users at risk. We are hopeful that in 2019 we can continue to work together with policymakers and law enforcement officials, as well as representatives of civil society, to find solutions that protect the integrity of technology products used by customers while addressing cybercrime and other issues in innovative and effective ways that respect the need for nuance in these conversations. After all, solving thorny and difficult challenges is at the core of what we do as an industry. This is a time to put our heads together and find new ways to promote a safer online world.
[1] https://www.zdnet.com/article/australias-encryption-laws-will-fall-foul-from-differing-definitions/