The Need for Encryption Legislation

The current stand-off between Apple and the FBI highlights a growing problem: How do we balance privacy rights with the current patchwork of legislation that has failed to keep pace with the technological advances changing business and society?

For anyone following current events, the ongoing debate displays the need for comprehensive legislation.  Will Apple continue to defy the court order and, in essence, prevent the government from gaining information from a corporate owned device used by a dead terrorist? Is the government prepared to set a precedent and force Apple and other companies to knowingly provide code to make it easier for both US and foreign governments to gain access to corporate or personal data?  The answers to these questions are vitally important to the future of encryption.  As a U.S. citizen, I respect the loss of life and the need to hold those responsible for such horrific acts.  However, as general counsel for an international company, the implications of punching holes in encryption, even to help law enforcement, would be precedent setting.

Now more than ever, consumers are concerned with how their information may be used and collected.  Smartphones carry more information about a person’s life than ever before.  It may contain private conversations, financial accounts, credit cards, health data and even the location of your friends and family.  Smartphones have made it easy to access information quickly and consumers want to ensure that this information is properly protected from unwanted eyes.

Consumers need to have trust in the public and private sectors.  The private sector recognized this need and in response created an ecosystem where individuals hold the key to their data.  This helped reestablish trust that businesses were not collecting and gathering information without their knowledge.   However, governments have been slow to modernize legislation, and now face the question on how to gather information from these encrypted devices when it satisfies certain legal requirements.

We cannot fall back to a time without encryption.  Recent data breaches demonstrate the need to secure information.  Encryption helps businesses secure their data on-site or in the cloud, and it protects the public utility infrastructure we use every day.  Private and public sector entities need the technology to protect data against bad actors.

As technology advances, there will be increased public discussion around privacy, encryption and the state’s right to access information.  Both the public and private sector need to further this dialogue to find a middle ground that provides everyone the necessary protection and ability to gather information when needed.  Without this agreement, and proper legislation, the questions being debated will only become more complex.

As a leader in certifying cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes comprehensive legislation is needed to help educate and certify the next generation of security professionals.  This is a real opportunity to learn, and build laws and regulations for the future.  We call on legislators to work with industry, professional bodies, interested parties and law enforcement to define these processes and frameworks so that no organization, individual or law enforcement agency has to repeat this in the future. — Graham Jackson, (ISC)² General Counsel

[(ISC)² Blog]