Encryption: Why It Matters

DATA IS INCREASINGLY CENTRAL to our personal lives, economic prosperity, and security. That data must be kept secure. Just as we lock our homes, restrict access to critical infrastructure, and protect our valuable business property in the physical world, we rely on encryption to keep cybercriminals from our data. Proposals to regulate this crucial form of protection — however well-intended — could weaken our security.

Software continues to spark unprecedented advances that transform the world around us. From life-saving medical breakthroughs, to safer transportation, to enabling global economic transformation, our lives are improving in countless ways through the ubiquity and utility of data powered by software.

Digital security is becoming increasingly important to protect us as we bank, as we shop, and as we communicate. And at the core of that security lies encryption. As our lives increasingly move online, everyone should be doing more to improve the digital security of data, not less. Our digital world is constantly under attack by cybercriminals:

Data breaches exposed at least 423 million identities in 2015 — increasing by more than 20 percent in just a single year.

Americans worry about hacking — of their credit card information, phones and computers — more than any other crime. And for good reason: nearly half of American adults have been hacked.

Encryption In Our Daily Lives

ENCRYPTION IS A PART of almost every service or device we use to live our lives online. Every day, often without us even being aware of it, encryption keeps our personal data private and secure. Encryption is a vault that secures our personal information that is held by businesses and government agencies. It is a lock that prevents identity thieves from stealing our information when we log on to our bank accounts. It is an extra layer of security to safeguard our critical infrastructures. And it is a secure envelope that keeps hackers from reading our personal communications. Encryption is all of these things and more:

Use of encryption continues to rise, with more than one third of businesses in one recent survey reporting that their organization uses encryption extensively.

Use of encryption is steadily shifting to a strategic activity, with organizations moving to an enterprise-wide encryption strategy.

Government rules — around patient data, financial transactions, and consumer information — frequently require companies to encrypt the data they hold.

Securing the data at the heart of our modern economy is a never-ending effort tied to multiple, interconnected parties. This involves not just the software companies that create products and services but the consumers who rely on those products and services to power their daily lives, the companies that encrypt human resources, sales, or other data, and even the law enforcement officials who investigate crimes. With so many interests at stake, it is vital that discussions about the future of encryption involve all perspectives.

Encryption Principles

A Comprehensive Approach to Promoting Global Cybersecurity, Public Safety, Personal Privacy & Prosperity

The current polarized debate on the use of encryption to promote security regrettably assumes that solutions must have winners and losers. We forcefully reject this assumption.

Effectively addressing all legitimate interests requires acknowledging two realities: first, increased reliance on secure information technologies improves our daily lives, advances our economy and individual freedoms; and, second, bad actors will misuse security tools to pursue their illicit aims — from terrorism and violent crime to cyberattacks.

These realities establish two goals, both of which must be achieved:

  1. Criminals and terrorists must be stopped, and
  2. Individuals’ security and privacy to enjoy and lead daily lives in the digital world must be safeguarded.

An enduring solution to the encryption challenge must balance the legitimate rights, needs and responsibilities of:

  • Governments to protect personal and confidential information they hold and to prevent terrorist and criminal acts and prosecute offenders;
  • Individual citizens’ right to secure the privacy of their personal information.
  • Providers of critical infrastructure and essential services— including water, electricity, transportation, banking, and health — to protect their operations from cyberattacks;
  • Third-party stewards of personal data and confidential business information to protect the data entrusted to them;
  • Innovators to develop products and services that improve our daily lives and drive economic growth free of government mandates.

Principles For Action

Moving the encryption debate forward will require many groups to come together to craft solutions. We will evaluate any proposed legislation, regulation or policy on encryption in light of the following principles:

  1. Improving data security: Providers of data services — storing, managing or transmitting personal or business data — must be permitted to use the best available technology to thwart attacks against that data or the entities and individuals who depend on those services.
  2. Enhancing law enforcement and counter-terrorism capabilities: Law enforcement agencies, subject to appropriate privacy and civil liberties safeguards, should have access to the best available resources, information, and tools available to prevent and prosecute terrorist and criminal acts.
  3. Promoting privacy: Individuals have a right to be secure in their public, private and commercial lives and interactions.
  4. Protecting confidential government information: National, state and local agencies should ensure that the data they hold is secure against threats of domestic and foreign intrusion.
  5. Encouraging innovation: Developers and providers of innovative data security tools should be free of government mandates on how to design technology products and tools for digital security.
  6. Defending critical infrastructure: Providers of essential services, such as banking, health, electricity, water and other critical infrastructure providers, should be empowered to provide the best available security technologies to their users. Best practices should be widely shared.
  7. Understanding the global impact: Criminal and terrorist acts are not limited by national borders, and laws and policies must create consistency and clarity in all countries where security technologies are developed and used.
  8. Increasing transparency: There should be full, transparent, and considered public dialogue before any legislative proposal concerning the future of technology mandates or encryption is adopted.

What the Experts Say

Swipe left or right to read quotes.

I am deeply worried about the magical thinking that I think is taking place among some in law enforcement that back doors can be created, that devices can be hacked into in a good way but not in a bad way.

Julie Brill, former Commissioner, Federal Trade Commission
The Wrap’s Power Women Breakfast, March 2016

[E]ncryption is a necessary part of data security, and strong encryption is a good thing.

Ash Carter, Secretary, Department of Defense
“Securing the Oceans, the Internet, and Space: Protecting the Domains that Drive Prosperity,” March 2016

[W]e still need encryption and with the challenges we face on cybersecurity, encryption remains even more essential to protecting safety and commerce online.

Alan Davidson, Director for Digital Economy, U.S. Department of Commerce
Access’ Crypto Summit, July 2015

As a person charged with thinking about consumer protection, I deeply worry about things like mandatory backdoors and exceptional-access systems in consumer-facing products ... It has the consequence of potentially making consumer data less secure.

Terrell McSweeny, Commissioner, Federal Trade Commission
State of the Net conference, January 2016

Now, more than ever, strong security and end-user controls are critical to protect personal information ... If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.

Terrell McSweeny, Commissioner, Federal Trade Commission
“Worried About Your Data Security? How Encryption Can Help Protect Your Personal Information,” September 2015

Specifically, companies should: (1) conduct a privacy or security risk assessment as part of the design process; (2) test security measures before products launch; (3) use smart defaults – such as requiring consumers to change default passwords in the set-up process; (4) consider encryption, particularly for the storage and transmission of sensitive information, such as health data; and (5) monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities.

Edith Ramirez, Chairwoman, Federal Trade Commission
“Privacy and the IoT: Navigating Policy Issues,” International Consumer Electronics Show, January 2015

Strong encryption makes us safe.

Jessica Rosenworcel, Commissioner, Federal Communications Commission
The Wrap’s Power Women Breakfast, March 2016

Encryption is foundational to the future. So spending time arguing about ‘encryption is bad and we ought do away with it’ — that is a waste of time to me. Encryption is foundational to the future.

Admiral Michael S. Rogers, Commander of US Cyber Command and Director of the National Security Agency
US Cybercom and the NSA, Atlantic Council, January 2016

Much of GCHQ‘s work is on cyber security, and given the industrial-scale theft of intellectual property from our companies and universities, I’m acutely aware of the importance of promoting strong protections in general, and strong encryption in particular. The stakes are high and they are not all about counter terrorism.

Robert Hannigan, Director, GCHQ, UK
“Front doors and strong locks: encryption, privacy and intelligence gathering in the digital era,” MIT, March 2007

Even if the intention [to empower the police] is laudable, it also opens the door to the players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws. You are right to fuel the debate, but this is not the right solution according to the Government's opinion.

Axelle Lemaire, Digital Affairs Minister, France
Remarks rejecting an encryption amendment to France’s Digital law, January 2016

The new rules should also clearly allow users to use end-to-end encryption (without 'backdoors') to protect their electronic communications ... Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited. In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design…

Giovanni Buttarelli, European Data Protection Supervisor (EDPS)
Preliminary EDPS Opinion on the Review of the ePrivacy Directive (2002/58/EC)

BSA Resources

Other Resources