Given the headlines, you'd be excused for thinking that Washington and Silicon Valley were at war. With Apple battling the FBI over encryption, and Microsoft suing the Department of Justice over secret data requests, U.S. tech companies have found themselves in the uncomfortable position of defending their customers' privacy against what they see as overreach by the U.S. government.
At the root of these disputes and others is a common problem: The laws that govern privacy are woefully outdated in a world of cloud services, social networks, global messaging and smartphones. The challenge that lies ahead is determining what new shape these laws should take in a world of iPhones, WhatsApp and cloud storage — and whether they will even matter since all of these forces ignore national borders.
Representing the software industry in this fight is the D.C.-based BSA/The Software Alliance (formerly the Business Software Alliance), a trade group whose members include Microsoft, Apple, IBM, Salesforce and Adobe. Victoria Espinel, the group’s CEO and a former White House trade negotiator, sat down with International Business Times to handicap the legislative field at this point.
IBT: Given recent history, are your members still working with the government?
Espinel: We want to live in a safe and secure world. We want that as individuals and we want that as an industry. Our companies work with law enforcement cooperatively every day, every minute of the day around the globe, so to say we are supportive of law enforcement efforts is really an understatement.
That said, we have real concerns about undermining encryption. The way we look at this: While weakening encryption could have some short-term gains for law enforcement, long term it will make law enforcement’s job harder because it will increase the amount of cybercrime that exists and it will make us ultimately less secure. We want law enforcement to have all the tools that it can as long as those tools don’t cause collateral damage.
IBT: Do you think there should be products that should be completely sealed off from law enforcement?
Espinel: I think we don’t want to be in a place where government is mandating how technology evolves. I think we very much want law enforcement to be able to work as quickly and effectively as it can. But when the government starts to put mandates or restrictions on how technology evolves, it does not go well.
The second thing I would say is those restrictions will only fall on the backs of U.S. companies by definition. So it won’t really solve the problem law enforcement is trying to solve. It will drive people to foreign or homemade providers of encryption. Those who want to use encryption for nefarious purposes will continue to do so.
IBT: Do you have any sympathy for law enforcement dealing with encrypted messaging and locked devices?
Espinel: Assuming that there is a warrant and the process is appropriate, law enforcement has a great deal of information that they would not have had access to even a few years ago, given the technology. I think what companies decide to do individually with their products is being driven by the fact that consumers are concerned about security. We live in a world where breaches are happening every day and being reported on and that isn’t going away, and it is leading companies to think and invest more to make the security of their products as foolproof as possible.
IBT: Why is encryption important?
Espinel: There is a lot of focus for obvious reasons on communications devices and WhatsApp, but we are sitting here one block from Wall Street in the heart of the Financial District [of New York]. All of that financial information is protected by encryption. Utilities use it to keep the lights on and the water running. Hospitals use for medical records and healthcare. The Defense Department for national security. The fact that there are a broad range of uses and interests is one of the reasons we have been saying that whatever solution we work out has to come out of a discussion with a whole range of stakeholders that use encryption.
IBT: Given the heat involved, do you think that kind of discussion is even possible?
Espinel: I do; maybe I’m an optimist. I’ve also been in the early part of my career, a trade negotiator. So I’ve been in a lot of talks that started heated and ended up in agreement. In my former job in the administration, a big part of what I wanted to accomplish was bringing the tech community and Hollywood together. Some of those discussions at the beginning were extremely heated, but we kept at it and found places where people could agree.
IBT: Who needs to be brought together to make it happen?
Espinel: Law enforcement should be there. Tech should be there. Human rights advocates, privacy advocates. The intelligence community. There are a number of industries that use encryption and in my opinion they should be there. There are many industries that rely on encryption that are not software and tech companies. But I think having producers and users and beneficiaries in various ways all at the table together would be helpful.
IBT: Can any U.S. policy work if the networks are global and many are based abroad?
Espinel: We need to emphasize this is not a U.S. issue. The debate is happening in so many countries around the world. I have two concerns: that some of those governments will take policy approaches we think are harmful, and if governments are taking very different approaches, we may end up with this patchwork of different laws around the world that will be incredibly difficult for everyone, including law enforcement.
It's also very confusing to consumers, who frankly shouldn't have to spend a lot of time trying to understand what happens to their information if they are using services, and whether that changes given where data centers are located.
IBT: This Congress is known for not getting much done. How big a priority is this?
Espinel: So I think there are a number of members of Congress who realize it is a complicated issue, they need to learn more and are eager to do that. We are getting a real appetite to learn as much as possible about the technology and about the policy and the legal ramifications of the issue. How long it takes to coalesce to a policy approach I’m not sure. It won't happen overnight. I am reasonably sanguine it will lead to some sort of consensus on approach. It may not lead to legislation.