Encryption: Balancing The Needs Of Law Enforcement And The Fourth Amendment Testimony

Yesterday, i2Coalition Co-Founder and Chairman of the Board, David Snead appeared at a congressional summit on encryption at Rice University’s Baker Institute For Public Policy in Houston Texas as per his position as General Counsel for i2Coalition Member cPanel. Details for the panel can be found below.

 

ENCRYPTION: BALANCING THE NEEDS OF LAW ENFORCEMENT AND THE FOURTH AMENDMENT – Splash

Congressman Ted Poe and Congressman Pete Olson invite you to attend a Congressional summit on “Encryption: Balancing the Needs of Law Enforcement and the Fourth Amendment” on April 11th. Hosted at Rice University’s Baker Institute for Public Policy (6100 Main Street) the summit features multiple expert testimony including senior executives and legal counsel for several technology companies, a senior law enforcement official from Harris County and a Rice University professor.

Here is the testimony presented at that event:

 

Congressional Summit on Encryption

The Congressional Summit on Encryption at Rice University hosted by Ted Poe

Below is the written testimony:

 

Statement for the Record

Encryption:  Balancing the needs of Law Enforcement and the Fourth Amendment

Before:  Congressman Ted Poe, Pete Olson and Blake Farenthold

April 11, 2016

Baker Institute, Rice University

David Snead

General Counsel, cPanel, Inc.

Houston, Texas

Introduction

Thank you very much for the opportunity to appear today.  I’m David Snead and am General Counsel for cPanel, Inc.  cPanel is a web hosting automation platform that is based in Houston, and is in Mr. Poe’s district.  In addition to my work with cPanel, I am also the Chairman of the Board and co-founder of the Internet Infrastructure Coalition – or I2Coalition – an association of about 90 companies, like cPanel and Rackspace, who provide the Internet’s infrastructure.

Encryption is extremely important to both cPanel and the I2Coalition.  Simply put, encryption keeps things safe online.  The Internet infrastructure is what makes the Internet work.  Its security is vitally important to the websites and applications that run on it.  Encryption is enormously important both to network security and consumer choice.

Internet infrastructure providers are using encryption to secure their networks, technology and code.  Encryption helps to promote and protect cybersecurity, economic growth and human rights both in the U.S. and worldwide.  Encryption secures communication on networks and forms a line of defense from access to data by those who should not have access to it whether they’re criminals, governments, or even trusted third parties.  Companies like cPanel use, and facilitate the use of, encryption, not because we want to hide data from legitimate access, but to keep customer data safe.  Encryption is our first, best, defense against hacking our platform, our network, and the Internet in general.

We believe that strong encryption and law enforcement can co-exist.  Indeed, there is no need to pit network security against law enforcement.  Doing so is a false choice.

Encryption is an Essential Component of Internet Security

Underlying the Internet is a complex network of companies, technology and people who make the Internet work.  Internet infrastructure companies, like cPanel, are responsible for moving most, if not all, of the data on the global Internet.  Many Infrastructure companies, like I2Coalition member Rackspace, come into contact with that data when it is placed on their servers by customers. Internet infrastructure providers are often in a position between the creators of data and the users of data.

Given their central place in the Internet, Internet infrastructure providers are particularly concerned about the security and integrity of Internet data.  Encryption lies at the heart of creating this security.  For example, cPanel uses encryption technology like OpenSSL to secure interaction with our technology.  We encrypt credit card data and passwords to ensure that only those authorized to use this data do so. We also facilitate the use of encryption by our customers who may use our product for email and other functions that require that data be secure, and that its integrity be assured.

Internet infrastructure providers are constantly testing their products and networks for back doors, flaws, vulnerabilities and anything that would compromise security.  It is hard to imagine a network security review protocol that has the ability to distinguish between an authorized back door and an unauthorized back door.  Using encryption removes one possible way data can be compromised.

Most Internet infrastructure providers like web hosting companies, who have access to data, use encryption two ways.  First to secure their network generally.  Second like cPanel, to secure their own business data.  These providers may encrypt data in their backup systems, or other data that is at rest and stored by them.  Data that is well encrypted is generally useless to those gaining access to it.  For Internet infrastructure providers, this helps deter attempts to gain access to this data, and minimizes liability and needs for remediation should it be disclosed.  This last aspect of encryption helps ensure compliance with the myriad of state data breach laws which generally encourage use of encryption to protect data.

An aspect of encryption that is not typically discussed is the role it plays in ensuring data integrity. For example, the use of encryption in email helps assure that the data is not tampered with during transmission.  This facilitates trust that the day-to-day communications we receive say what they represent to say.  For companies like cPanel, our ability to use encryption and encryption technology to build trust in Internet transactions is key to the growth of our customers and our company.

Our Customers Demand Encryption

Over the past seven years, society has spent significant time educating businesses and consumers to encrypt their data.  At its most basic, we’ve taught consumers to look for indicators encryption like closed padlocks or websites starting with https://.  For businesses like cPanel, we must facilitate encryption to allow our customers to simply do business on the Internet.  Our customers are required to use encryption to engage in credit card transactions and to comply with their obligations under many state and federal laws.

Many Internet infrastructure companies are several layers removed from their ultimate customer.  The ultimate customer, then, seeks to use encryption to ensure that even trustworthy entities like a web host, do not have access to that data.  Preserving the ability of entities who do not have direct business relationships to trust that their data will not be accessed even by trustworthy third parties strengthens the Internet economy.

Trust Undergirds the Internet Economy

It is hard to imagine that the distributed infrastructure that has created the Internet would exist without the ability to encrypt data.  Encryption ensures trust and integrity.  When a company puts data on a third party’s servers, they can be assured that no one will gain access to that data without their knowledge and consent.  Because the U.S. lies at the heart of the Internet economy, undermining our ability to ensure that data remains trustworthy would undercut our economy.

Importantly, changing the way encryption works, whether by mandating backdoors, or creating some other change, could jeopardize the U.S. economy.  Internet infrastructure providers compete globally.  Products like cPanel exist in highly competitive market:  there are very few impediments to customers who seek to use web automation software created in the U.S., or outside the U.S.  Should we be required to modify, or weaken, the encryption used in our software, it would be very simple for our customers to migrate their business to competitors whose governments do not do so.

Encryption Only Functions as Designed

What makes encryption work is that only those with the keys have access to encrypted data.  Encryption that is compromised, whether through a backdoor, or with a third party holding a key, is not encryption.  Encryption only works when data remains confidential, and our customers can trust that it remains confidential.  Security with a backdoor is not encryption, it is something else.

Prominent security researcher Bruce Schneider has stated: “Either we build encryption systems to keep everyone secure, or we build them to leave everybody vulnerable.” There’s no way to know that today’s highly sophisticated backdoors designed for US law enforcement access couldn’t be exploited by criminals tomorrow.  Importantly, introducing U.S. public policy priorities into a fundamental aspect of Internet security, will only encourage other countries to do the same.  Not only will this weaken the security of the Internet as a whole, and expose important data to the eyes of individuals and governments who we may not want to have access to it, it will also create conflicting regulatory requirements.

Conclusion

The discussion about access to data is a healthy one.  There is no balance to be struck in the discussion about encryption.  Data security and authorized law enforcement access to data can exist together.  cPanel looks forward to participating in this healthy discussion, and we appreciate the opportunity to be here today.