There's a major battle brewing over encryption right now. So where do the tech companies stand?
Law enforcement agencies are trying to demand "backdoors" to our sensitive data and communications, while civil liberties groups are fighting back through a new campaign called SaveCrypto. And President Obama seems to be trying to find a middle ground, eschewing legal mandates but continuing to informally pressure companies to provide unencrypted access to data.
Tech companies are in a unique position to know about and resist unofficial pressure from the government to provide access to user data. We hand over huge amounts of sensitive data to these companies while trusting them to keep it safe. Which companies are willing to go on the record as opposing backdoors?
Electronic Frontier Foundation rounded up the public policies of 21 of the major tech companies so you can compare them. Some of the statements are from our annual Who Has Your Back report, and some from from company blogs and transparency reports.
Take a look:
Adobe has not built 'backdoors' for any government — foreign or domestic — into our products or services. All government requests for user data need to come through the front door (i.e., by serving valid legal process upon the appropriate Adobe legal department). Adobe vigorously opposes legislation in the US and overseas that would in any way weaken the security of our products or our users' privacy protections.
While we recognise the legitimate needs of law enforcement agencies to investigate criminal and terrorist activity, and cooperate with them when they observe legal safeguards for conducting such investigations, we oppose legislation mandating or prohibiting security or encryption technologies that would have the effect of weakening the security of products, systems, or services our customers use, whether they be individual consumers or business customers.
In addition, Apple has never worked with any government agency from any country to create a "back door" in any of our products or services. We have also never allowed any government access to our servers. And we never will.
Apple deserves special praise for coming out with an even stronger statement against backdoors in its newly launched privacy website that explains the company's policies. The new statement says:
Encryption protects trillions of online transactions every day. Whether you're shopping or paying a bill, you're using encryption. It turns your data into indecipherable text that can only be read by the right key. We've been protecting your data for over a decade with SSL and TLS in Safari, FileVault on Mac, and encryption that's built into iOS. We also refuse to add a backdoor into any of our products because that undermines the protections we've built in. And we can't unlock your device for anyone because you hold the key — your unique password. We're committed to using powerful encryption because you should know the data on your device and the information you share with others is protected.
Comcast does not support the creation of extra-legal "backdoors," or the inclusion of deliberate security weaknesses in open source or other software to facilitate surveillance without proper legal process.
Governments should never install backdoors into online services or compromise infrastructure to obtain user data. We'll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.
We're also seeing officials around the world try to limit security measures such as encryption without making progress on the stronger legal protections that people deserve. The bottom line is that while governments only request data on a very small fraction of our customers, governments are seeking to alter the balance between privacy and public safety in a way that impacts everyone.
As we have said before, there are times when law enforcement authorities need to access data to protect the public. However, that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers. This should concern all of us.
Pinterest opposes compelled back doors and supports reforms to limit bulk surveillance requests.
Transparency is a key value for us and an important feature in Slack itself. It's this commitment to transparency that brings me to my last point — Slack opposes government-mandated "back-doors" of any kind but particularly a government-mandated requirement that would compromise data security.
Privacy and security are core values here at Snapchat and we strongly oppose any initiative that would deliberately weaken the security of our systems. We're committed to keeping your data secure and we will update this report bi-annually.
Finally, we are stating for the record our position regarding compelled inclusion of back doors, deliberate security weaknesses or disclosure of encryption keys. Sonic does not support these practices.
Security: we believe that no government should install backdoors into web security protocols, or otherwise compromise the infrastructure of the internet. We'll fight the laws that allow them to do so, and we'll work to secure our users' data against such intrusions.
We believe in robust and widespread cross-industry encryption and urge the U.S. government to adopt strong encryption standards to ensure the integrity of information of individuals, businesses and government agencies across the world.
Some governments have recently sought to weaken encryption, in the name of law enforcement. We disagree with these suggestions and do not believe that it's feasible to include any deliberate security weaknesses or other back doors in encryption technologies, even if "only" for the benefit of law enforcement. As a wise man said, "there is no such thing as a vulnerability in technology that can only be used by nice people doing the right thing in accord with the rule of law." We agree wholeheartedly.
We've encrypted many of our most important products and services to protect against snooping by governments or other actors. This includes encryption of the traffic moving between Yahoo data centres; making browsing over HTTPS the default on Yahoo Mail and Yahoo Homepage; and implementing the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We've also rolled out an end-to-end (e2e) encryption extension for Yahoo Mail, now available on GitHub. Our goal is to provide an intuitive e2e encryption solution for all of our users by the end of 2015. We are committed to the security of this solution and oppose mandates to deliberately weaken it or any other cryptographic system.
Credo Mobile, Facebook, Google, LinkedIn, Twitter, WhatsApp, and Wikimedia Foundation all signed onto a letter organised by the Open Technology Institute (OTI) that opposed efforts to intentionally weaken security, which states:
We urge you to reject any proposal that U.S. companies deliberately weaken the security of [our] products… Whether you call them "front doors" or "back doors," introducing intentional vulnerabilities into secure products for the government's use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government's own experts.
What can we conclude from this? There's tremendous amount of opposition among the technology companies against compelled backdoors.
Last week EFF, along with a diverse coalition of technology companies and civil liberties groups, launched SaveCrypto.Org, a petition site where concerned individuals can let President Obama know that the administration should come out in favour of strong encryption. While Obama has clarified his initial position, he's also promised to respond to any We the People petition that gets over 100,000 signatures. That means there's still time to influence him.
In an era of ubiquitous malicious hacking and sensitive personal information data breaches, it's time for President Obama to listen to Internet users and the companies that are standing up for users' security and privacy.
This post first appeared on Electronic Frontier Foundation's blog and is republished here under Creative Commons licence.
Image by Yuri Samoilov under Creative Commons licence.