As a company whose primary purpose is to help customers ensure the integrity of their data, we have serious concerns regarding the draft legislation recently released, the Compliance with Court Orders Act of 2016, which would require companies like Code42 to decrypt their customers’ data upon receiving a court order.
The bill states that “covered entities that receive a court order for information or data for the investigation or prosecution of specified serious crimes must provide it to the government in an intelligible format or provide the technical assistance necessary to do so.” While the bill doesn’t prescribe any specific design or operating system to make the data intelligible, it would essentially force us to build a backdoor in our endpoint backup system.
While we appreciate that the bill’s authors have started a dialogue on how to protect both data security and national security in light of the tragic San Bernadino terrorist attack, we cannot support the bill in its current form. Here are key reasons why:
It would put our customers’ data at risk
We regard data security as the most important component of our CrashPlan endpoint backup system. Hence, today we employ a multi-layered security model that includes encryption. Our current platform encrypts customers’ backup data with 256-bit encryption before it leaves their computer, and scrambles the transmission using 128-bit encryption. We have purposely put customers’ data out of our own reach to ensure privacy; the only one who can unencrypt the data is the customer.
I believe there are creative techniques and processes the government can pursue that do not involve creating a backdoor. The anti-encryption bill would require us to change our product so that someone besides the customer can unencrypt and access the data if the government comes calling—at which point the entire security premise of encryption is rendered pointless. The government asserts, as it did in the Apple iPhone case, that these backdoors would only be used by the government. But history has shown us that whatever technique or new software we create will eventually find it’s way into the hands of sophisticated cybercriminals. So asking us to build a backdoor exposes our customers to greater risk of data theft. That is not a compromise we’re willing to make.
It would diminish America’s competitiveness in the global marketplace
We’re proud to be among the many innovative companies that have built the American tech industry into the global standard bearer. But forcing us to undermine the integrity of our products weakens our competiveness in the global marketplace. Why would a customer choose a technology product offered by an American company, knowing it has a built-in security vulnerability—as demanded by the bill—when they can choose a product from a company whose country has no such requirements?
Much more discussion between the government and the tech industry is needed to develop a policy that allows for both the strongest cyber protection and adequate tools for law enforcement. We look forward to engaging in that dialogue.
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.