The Cybersecurity Tech Accord is lending its voice in support of the open letter published ahead of the recent G7 meeting – calling on the G7 governments and their leaders to prioritize cybersecurity. We are proud to be joining an initiative supported by more than 30 other organizations, including the Internet Society, the World Wide Web Foundation, Global Partners Digital, AccessNow, Association for Progressive Communications, and the Centre for Technology and Democracy, to name just a few.
The letter asks the G7 leaders to not “require, coerce, or persuade device manufacturers application, and service providers to: a) modify their products or services or delay patching a bug or security vulnerability to provide exceptional access to encrypted content; b) turn off ‘encryption-on-by-default’; c) cease offering end-to-end encrypted services; or d) otherwise undermine the security of encrypted services.” These requests are fully consistent with our shared values and beliefs.
The Cybersecurity Tech Accord principles commit us to “design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities,” as well as to “…protect against tampering with and exploitation of technology products and services…” and to “not help governments launch cyberattacks against innocent citizens and enterprises.” We respectively design and build technologies intended to be secure, reliable and to improve people’s lives, and we should not be asked to act in ways that jeopardize that commitment. Such capabilities can create vulnerabilities that enable cybercriminals or other actors to harm innocent users – a particular challenge if introduced in mass-market products.
While this G7 meeting in August has not followed in the footsteps of the Interior Ministers meetings in April, which indicated that they would ask companies to create exceptional access solutions to encrypted content, the overall policy trends remain counterproductive. The Cybersecurity Tech Accord signatories published a blog in early 2019 on this issue, highlighting the most challenging aspects of such approaches, and the commentary published then remains just as valid today.
Measures that intentionally weaken encryption, or which otherwise help agencies gain or retain access to particular technology products and services, leave those products vulnerable to malicious actors. As a result, such moves ultimately weaken the security and integrity of our online world as a whole, in addition to severely undermining trust in the digital economy, and the confidence of using these services whether they are provided by businesses or governments.
To be clear, we are not dismissing the scale of the challenges we all face in this space. Governments today have a difficult task to fulfil their responsibilities to protect and defend their national security interests well as their human rights of their citizens online, including the rights to privacy and security. However, the response should not be to require companies to compromise the integrity of their products and services. Doing so would likely put users at risk. Addressing these challenges requires creative thinking by both public and private sector entities resulting in innovative policy solutions, cross-sector partnerships, and a delicate balance between stopping malicious actors while protecting civil liberties.
We are grateful to the organizations responsible for putting together this timely and important letter to the G7. We look forward to continue working in collaboration with the leaders of the G7, and with governments around the world, to address these and other issues.