Encryption Is Critical for Startup Security, Despite DOJ Spotlight

TLDR: Federal officials are once again calling for Internet companies of all sizes to undermine secure end-to-end encryption by creating intentional vulnerabilities in their products to facilitate law enforcement access to user data, a move that would risk user privacy and security. The renewed push comes after the Justice Department announced that it unlocked two iPhones belonging to the shooter in last year’s Pensacola Naval Air Station shooting and found that he had been working with al Qaeda.

What’s Happening This Week: Attorney General William Barr announced yesterday that the Justice Department uncovered evidence showing that the Saudi aviation student responsible for last year’s shooting at Pensacola Naval Air Station had extensive ties to al Qaeda in the Arabian Peninsula. The announcement came after the FBI unlocked two iPhones belonging to Mohammed Alshamrani, who killed three U.S. sailors in the shooting last December. 

Federal officials unlocked the recovered iPhones without assistance from Apple, which provided law enforcement investigators with iCloud data from the perpetrator’s account but did not engineer a way for law enforcement to access the phone’s contents because of concerns that the development of an intentional vulnerability would compromise users’ security.  

In a speech announcing the findings, Barr called for “a legislative solution” to enforce backdoors for law enforcement officials, adding that he did not believe it was difficult for tech firms to “design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security.” But in a statement following Barr’s press conference, Apple stressed that there is “no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.”

Why it Matters to Startups: While Attorney General Barr and other federal officials may be targeting the encryption practices of Apple and other large tech companies, startups and small tech firms would be substantially affected by a mandate to create intentional vulnerabilities in their encrypted products and services. 

Startups in particular support the use of strong encryption because it provides users with an additional level of security and privacy. Many consumers are concerned about their data privacy, particularly with so many people now relying on digital services as a result of the coronavirus pandemic. Being able to offer enhanced security through the use of end-to-end encryption allows startups to differentiate themselves and compete with larger tech companies.

Companies of all sizes—from Apple to early-stage startups—are supportive of law enforcement efforts to crack down on illegal activity and often cooperate by providing data, support, and assistance in investigations. But Barr’s ask that tech companies intentionally build vulnerabilities into their products and services would sacrifice all users’ privacy and security in the name of assisting law enforcement investigations of specific users. While the DOJ says a “backdoor” would be for officials to use as part of sanctioned investigations, those new vulnerabilities can be found and used by others, including bad actors. 

And the risks of building in a “backdoor” will disproportionately harm new and small startups. While larger, more established tech firms have the financial resources and staffing to monitor, defend, and oversee access to an encryption backdoor, startups with few employees and limited financial resources will not be able to adequately protect their users if forced to create vulnerabilities. Forty startups already made this case in a 2016 letter to congressional leaders that highlighted the inherent difficulties of building and then monitoring an intentional vulnerability.  

Previously, Barr has pushed for backdoor access to securely encrypted data in regards to child exploitation investigations. As we explained at the time, however, Barr’s argument overlooks the many benefits of encryption. Persecuted people across the world—including LGBTQ individuals, journalists, whistleblowers, and political dissidents—rely on securely encrypted devices and tools to communicate.

And Barr’s line of argument tying encryption to child exploitation has started to make its way to the Hill. The EARN IT Act, introduced earlier this year, threatens to remove intermediary liability protections from online companies if they do not agree to yet-to-be-determined best practices for identifying and removing child abuse materials. While the lawmakers behind the bill have repeatedly expressed that the bill is not an attempt to undermine secure encryption, many are concerned that the best practices could end up including a prohibition on end-to-end encryption to retain critical intermediary liability protections. 

Whether it’s combating the spread of child sexual abuse materials, or identifying terrorist activity, Engine supports tech companies’ efforts to assist ongoing law enforcement investigations. But requiring tech firms to create intentional vulnerabilities threatens the security of all users.

For more background on what encryption is and how it is used by startups and privacy advocates, please see our booklet on the "Nuts and Bolts of Encryption" that we wrote with the Charles Koch Institute last year.

On the Horizon.

• The Center for Data Innovation is holding a webinar this Thursday at noon to discuss “the challenges and opportunities of establishing a digital currency in the United States.”

• The Technology Policy Institute is holding a Zoom panel this Thursday at noon to discuss the costs and benefits of data portability and interoperability for tech platforms.