I. Defining Encryption and other Key Terms 

Encryption is the conversion of readable data into a form that can only be understood be read by those who know how to decode it.   It can consist of a code that is as simple as scrambling letters in a routinized way or as complicated as sets of symbols and numbers that are dictated by algorithms.  Examples of encryption go back to ancient Egypt, and carry forward through WWII (the German “Enigma” machines, for example) to the present day. Encryption in the electronic communication context is “decoded” only by those who have electronic “keys” to decode the communications.

A Server is a computer program or a storage unit that provides different types of functions for people’s contents.  We commonly think of a server as a computer that physically stores electronic data.  Servers can store data for individuals, for small businesses, or, in the case of the cloud, for millions of people who use email services such as Gmail, Yahoo!, or Microsoft email.

Metadata is data about data and would include things like to/from information in an email and date and time of a communication.  

An algorithm, in the context of encryption, is a general set of mathematical rules for transforming regular text, or “plaintext,” into encrypted content.

A key is a specific set of instructions used to apply the algorithm to a data or information.  The strength of the key defines the strength of the encryption.

An app is specific software that allows you to perform certain tasks.  They are available both for desktops and mobile devices.  Examples of popular apps include Facebook and LinkedIn, as well as messaging apps like those that come already on smartphones.  

A device, as discussed below, can be both a mobile device (such as a phone or a tablet) and a desktop computer or laptop.

II. Different Types of Encryption/How Encryption Works

Encryption is not new.  It has been available for personal computing on certain operating systems (including those produced by Apple and Microsoft) for many years, and before that, was generally available for both written and oral communication when such communication is over a wire.

End-to-end encryption works by having each party to a communication create a pair of keys, one of which they keep completely private, and one of which, called the “public key,” is shared. Messages between two people using an encrypted app or other can only be unlocked by the recipient’s unique private key. In practical terms, this means that the content of those transmissions can only be unlocked with access to the private key, which is protected on the communication device. Such data would include device-to-device messaging and app-to-app messaging. The Internet Service Provider (ISP), in general, cannot unlock that data.

Device encryption refers to the encryption of data on one’s own mobile device. It works by incorporating an encryption key into the security password on each person’s device (note that device encryption is available both for mobile and desktop devices). Device and end-to-end encryption work similarly, but technologically, they are separate functions. If you are utilizing device encryption on your smartphone, for example, either by default or by opting into it, this means that even the data that is sitting on your phone is fully encrypted while it is sitting there. That would include encryption of financial information, health information, or other sensitive information that a person stores locally on her phone and that isn’t backed up to a cloud or shared, as well as certain messages on messaging apps and device-to-device messages. It could also include emails that haven’t been sync’d with an email provider (such as Gmail or Yahoo!) and haven’t been backed up to a cloud.

Service-provider encryption occurs when a provider, such as a cloud storage provider, encrypts the data for the user.  In this scenario, the provider holds the encryption key and the relevant and legal policy question is when that provider can be obliged to turn over that key to a third party.

III. The Value of Encryption

Encryption protects individual’s data and preserves the free flow of information.  Encrypted products and services are widely available across the globe. Recently, experts identified 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total number of encryption products.

Encryption Reduces Cybercrime

-          Cybercrime costs the US $100 billion annually, and the global economy $445 billion each year.  Encryption is one of the primary recommended tactics for reducing cybercrime.  This is why its use has been recommended by the FBI, as well as network security experts. 

Encryption Protects Users’ Sensitive Personal Data

-          Encryption helps keep consumer’s financial, health, educational, and other sensitive data safe from those who would use it to do harm. Credit and debit card fraud alone cost over $16 billion in 2014 and will exceed $35 billion in 2020.  Encryption also helps to protect people’s data in the event of a data breach.

Encryption Protects and Fosters Free Expression

-          Encryption protects free expression around the world, especially in regimes where governments seek to punish people who speak out against violent leaders and repressive laws.

-          Reducing the efficacy of encryption in the U.S. will force users to keep their data on foreign platforms

IV. Encryption and Law Enforcement Access to Data

-          Encryption does not necessarily prevent law enforcement from pursuing investigations.  Even if data is encrypted on a device, it may be available through other means.  For instance, it may be available through valid legal process if it was backed up to the cloud or a cloud-type environment (such as a private company’s exchange servers, in the case of an employee’s emails). For these services, Internet companies or the owner of the server hold a key to unlocking this data, if it is encrypted at all. This is so that customers can, for example, restore their data if they lose it from their device.  In the case of third-party apps, there is often a corresponding service that third-party apps provide, and data may be requested from them.

-          In addition, end-to-end encryption generally does not encrypt metadata, which continues to be available to law enforcement and the intelligence community when the metadata holders are presented with valid legal process.

-          Several commentators have recently observed that while encryption may make certain discrete pools of information difficult for law enforcement to access, in other areas, law enforcement has more access to data than ever before.  Such data includes but is far from limited to social media, the camera and microphone technology provided by hundreds of objects as they become part of the Internet of things, and fitness and other wearables.  Many new “wired” objects will have Internet Protocol (IP) addresses that would be accessible to law enforcement with valid legal process.

Reform Government Surveillance companies are supporting Apple in the current litigation. As technology companies, we want to keep people safe, we want to stop crime, and accordingly, we cooperate with law enforcement in ways that are consistent with the law.  But we do not believe that the law allows the government to demand that a company create new software that supplies a backdoor to a secure technology.

Reform Government Surveillance members believe that the National Commission on Security and Technology Challenges is an important option to consider in the debate about law enforcement access to encrypted content.  Given that there are no ‘backdoors’ into encrypted systems or devices that would also maintain the security of what’s on those systems and devices, we hope that a commission can engage in a thoughtful dialogue that respects the security of users and their information, while ensuring that law enforcement has tools to fight crime and terrorism.  We hope that same thoughtful dialogue will occur as the Commission looks at other issues related to law enforcement access to data in light of new technologies and their global reach.

Reform Government Surveillance companies believe it is extremely important to deter terrorists and criminals and to help law enforcement by processing legal orders for information in order to keep us all safe.  But technology companies should not be required to build in backdoors to the technologies that keep their users’ information secure. RGS companies remain committed to providing law enforcement with the help it needs while protecting the security of their customers and their customers’ information. 

Reform Government Surveillance applauds Senate passage of the Judicial Redress Act, and urges the House to pass the amended bill as quickly as possible.  The Judicial Redress Act offers basic privacy protections for the data of citizens of countries that afford the same protections to US citizens.  Its final passage will insure that U.S. and European law enforcement can finalize an agreement that will keep our citizens safe and protect their privacy.    

We applaud the Senate Judiciary Committee for moving forward with the Judicial Redress Act this morning.  This legislation was passed by the House of Representatives last October by unanimous consent, and it is vital to protecting law enforcement’s ability to share data with our European partners.  We are encouraged that members of the committee have worked on the bill in a bipartisan manner, and we urge the full Senate move the bill forward quickly.

The Reform Government Surveillance coalition strongly supports the Judicial Redress Act (H.R.1428) and encourages all House members to support this much-needed piece of legislation when it is considered on Tuesday and strongly urges the U.S. Senate to take it up immediately upon passage.  The European Court of Justice’s decision to invalidate the U.S.-E.U. Safe Harbor agreement makes passage of the Judicial Redress Act even more imperative to preserving the flow of data between European countries and the United States.  The Coalition has consistently noted that, in general, the Act is an important next step in surveillance reform after passage of the USA Freedom Act.  By extending the rights of the Privacy Act –which allows individuals to access, review, and request correction of information that a government agency may collect– to our E.U. allies, we will enable governments to cooperate fully in cross-border law enforcement and counter-terrorism investigations.  We will also allow the U.S. to continue to rebuild trust in how consumers view technology companies when they cooperate with legitimate law enforcement requirements—an important point in light of the recent ECJ decision, and a building block in further talks between the U.S. and E.U. on transatlantic data flow.  The RGS coalition urges Congress to enact the Judicial Redress Act this year and applauds House Judiciary Committee Chairman Bob Goodlatte, Crime Subcommittee Chairman Jim Sensenbrenner, Judiciary Committee Ranking Member John Conyers and other bill supporters for their leadership on this important issue.  We look forward to working with Senate cosponsors Senator Christopher S. Murphy and Senator Orrin G. Hatch towards final passage in the Senate.  ��

The Reform Government Surveillance coalition strongly supports the Judicial Redress Act (H.R.1428) and urges the House Judiciary Committee to approve the legislation for consideration by the full House of Representatives.  Enactment of the USA Freedom Act in May was an essential step in reforming our surveillance and privacy laws, and the Judicial Redress Act is a logical and necessary next step in ensuring that citizens of our most important allies receive the same protections under the Privacy Act as we provide to American citizens whose information is in the government’s possession.  Extension of these core benefits of the Privacy Act will allow governments to cooperate fully in cross-border law enforcement and counter-terrorism investigations and will also allow the U.S. to continue to rebuild trust in how consumers view technology companies when they cooperate with legitimate law enforcement requirements.  The RGS coalition urges Congress to enact the Judicial Redress Act this year and applauds House Judiciary Committee Chairman Bob Goodlatte, Crime Subcommittee Chairman Jim Sensenbrenner, Judiciary Committee Ranking Member John Conyers and other bill supporters for their leadership on this important issue.

We commend the Senate for passing the USA Freedom Act, a bill that makes significant progress in reforming U.S. government surveillance programs and practices. The action today shows the United States’ leadership in ensuring transparency and accountability of government actions that impact the privacy and trust of Internet users.

We commend the Senate for overwhelmingly voting 77-17 to proceed on the USA Freedom Act.  The expiration of certain authorities tonight should not stop consideration of the bill, especially as the legislation contains significant reforms beyond the expiring provisions.  Congress should act to pass USA Freedom this week.  As the Senate considers amendments to the bill, we urge it to avoid adding any provisions that weaken the prohibition of bulk collection of Internet metadata, mandate data retention, or otherwise introduce new concepts or definitions that weaken consumers’ trust in the Internet.